[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Fri, Apr 15, 2005 at 10:41:12AM -0700, Jon Callas wrote:
> On 13 Apr 2005, at 2:51 PM, David Shaw wrote:
> >There are too many years and too many implementations where 3DES is
> >the algorithm of last resort, and changing 3DES to a SHOULD
> >necessitates a different algorithm of last resort. We cannot change
> >that overnight.
> >By all means, add some new MUSTs to start the algorithm changing
> >process, but 3DES needs to stay as MUST as well for a good long time.
> I understand how you feel. I feel the same way. However, I have a
> question to ask:
> When? How long is "a good long time"? Forever?
I'd say "a good long time" is more than 2, but less than 5 years. I
base this on the surprising number of requests I still get to help get
GnuPG working with PGP 5 and PGP 6. There are people using these old
programs every day, (naturally installed years earlier, by someone who
no longer works there), and making this change would wreak all sorts
of havoc for these poor folks. A AES-is-default program can pretty
easily send them a message they cannot decrypt.
Changing the algorithm of last resort from 3DES sets up some cases of
incompatibility with PGP 6 and earlier, and GnuPG 1.0.3 and earlier on
one side, and modern versions on the other. It's easy to say that
people shouldn't be using these versions any longer (and I say that
often), but they are.
> The counter-argument is that there is no better time than now. The
> reasons to keep 3DES there only get stronger as time goes on. This
> problem becomes worse with time, not better.
I agree. That's why I'd like to sidestep the problem and change the
algorithm of last resort as part of a v5 key. There are no
compatibility problems then, as we're changing new keys, and not
retroactively changing the meaning of old keys.
Basically, I'm thinking this: given that it'll take a few years to
change from 3DES, and given that we must change the default hash away
from SHA-1 within the next few years, and given the Mister/Zuccherato
attack, and given the desire to publish 2440bis already, why not kill
a whole bunch of birds with one stone? Finish up 2440bis, publish it,
then sit down and design v5.
I'd probably feel differently about all this if 3DES was broken in
some way, but it's not broken. It's just slow.