[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Algorithms and specifiers

To: Jon Callas <jon@xxxxxxx>
Subject: Re: Algorithms and specifiers
From: nospam-seesignature@xxxxxxxxxx
Date: Tue, 24 Mar 1998 10:15:49 -0500
Cc: ietf-open-pgp@xxxxxxx
In-reply-to: <>
Sender: owner-ietf-open-pgp@xxxxxxx

On Mon, 23 Mar 1998, Jon Callas wrote:

> The question came up in the last stream of what happens if 3DES gets
> broken. The answer is that we're in trouble. Any protocol that has a single
> MUST algorithm has a single point of failure. Realistically, if that does
> happen, on this list (or some other) there will be a flurry of discussion,
> and then we'll pick one to be the new MUST algorithm. This would be
> painful, but it wouldn't be much more painful than excising out CAST5 or
> IDEA. Probably less than IDEA.

The problem is a conflict that some faction wants to minimize the MUST
list (Either for implementation reasons, e.g. PDAs, or because they don't
like or trust BlowFish, CAST5, or SAFER/SK128 - all I think are
unencumbered). 

If we have a single MUST, then that singleton is the default and has the
problems you mention.  If we add a second MUST, the conventional cipher
code innards double in size.

But I would also note that the same thing happens with RSA v.s. DH.  Or
even the various hash algorithms - MD5 has been superceeded by SHA1 - but
isn't that vulnerable too?  Part of the idea is to move ahead so that what
gets implemented by this spec will superceed both pgp 2.6.2 and pgp 5.x.
leaving a single "standard"  with a universal MUST subset. 

At the same time, where capable, every implementation should include the
SHOULDs to avoid the above problems.  SHOULD is not simply another way of
saying "MAY".

Though I still have problems with defaulting to 3DES if there is no
preferred cipher listed.  I should be able to encrypt using any SHOULD
algorithm and get a reply stating "I can't decrypt it, please use X" if
they published the key without a preference.  If there *is* a prefered
cipher, and it is 3DES, I must use 3DES.  If there is a list not including
3DES, but I don't implement any of them, I should use 3DES.

One note is that when generating the key for publication, what if I start
on my desktop with a full implementation, but then move to my PDA which
only has 3DES - I need a key update cert.  Or I should be asked what the
preferred cipher set is when I generate the key with a note that if I plan
to move the key to other implementations, I should use only 3DES as the
preferred cipher.

--- reply to tzeruch - at - ceddec - dot - com ---

References:
- Re: Algorithms and specifiers
  - From: Jon Callas

Prev by Date: Re: Algorithms and specifiers
Next by Date: Re: Plaintext, symmertric algorithm 0 (9.2)?
Previous by thread: Re: Algorithms and specifiers
Next by thread: Re: Algorithms and specifiers
Index(es):
- Date
- Thread