It turns that we've been thinking about stronger encryption too. We
added EDE2 to our internal "to do" list several days ago, but it's not
on our critical path. (We are very busy wrapping up the next version
of TIS/PEM so we can get it distributed broadly ASAP. EDE2 will
probably not be included, but we will get to it pretty quickly. As
has been noted, the PEM specs and our PEM code are quite modular at
this level, so it's pretty easy to add. Choosing the identifier may
consume more time than the actual implementation :-)
Our default choice is EDE2. However, this is definitely something for
the community to discuss. It seems to me the right criteria are:
(1) cryptographic strength and
(2) agreement among implementors (including availability of hardware products).
With respect to (1), it would be helpful to have input from
knowledgeable cryptographers. It's clearly desirable that whatever
cryptography is chosen not have a flaw or be weaker than expected.
It's also desirable, in my view, not to engage in needless overkill.
In the present discussion, the question on the table seems to be
whether EDE2 is adequate or whether EDE3 is the wiser choice. (If
others see other questions, that's fine; I'm not trying to constrain
the discussion.)
Quite a bit of judgment is involved in these decisions, so inviduals
may disagree.
Question (2) is also important, particularly if there are multiple
choices which are strong enough.
It would be good to get some informed opinion on record here...
Steve