[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECC in OpenPGP proposal

To: ietf-openpgp@xxxxxxx
Subject: Re: ECC in OpenPGP proposal
From: "David Crick" <dacrick@xxxxxxxxx>
Date: Thu, 28 Feb 2008 19:02:18 +0000
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=tNrRcOricLqBSfJ0hhRKhKSW6twoLdFazL/yL/CZLsY=; b=CwlLsb17t7NYAcKdmzVBFQdrYyDDUwqc1EzAlZPLC+b4bFSCj4CrVPH1KMtZngthYV+/zhcjrzUbPdTnWaubz+LzHE6vCipTuUyNRYU1rl+2PFU/TZNB9sFW8tFE0ZFWBsHhqSIYHF/G87Yx3L5qKJJYl+RAhIZs/ifojqnNJJY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=n9WGCiqPuMioT7Twmz7xmHAbBu+kDbEMSzZrHMsNq1teEr7wfMAZCpvSn3tuunydlpnZdVysXJ9AeSmQp6SjzAiglDi3DLYx+VlL2Rf1lma8wgho18gBikCTYW0UbtwNiB5T/ebCJOUfh1GmffefWh0HYJZ4VgzBkVumcuoaPLY=
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

Ian wrote:

> Hmmm... you raise an interesting point. I had thought that this
> was going to be a new document, and as it is not referred to in
> the existing core RFC, then ECC/Suite B was going to be a MAY by
> definition.
>
> Within that new (MAY) document, there would be several choices
> for MUST, SHOULD, MAY, etc.
>
> Or so I thought ... but I'm not fully aware of how these things interact.

and further:

> > I don't see how we can simplify past dropping 192.
>
>
> OK, if you are happy to carry on this discussion ... what are the
> reasons for including the 128-bit profile?

assuming the may -> whatever chain above holds, what about:

MAY implement ECC
  o MUST implement AES256-SHA384-384ECC
  o SHOULD implement AES128-SHA256-256ECC
  o MAY implement AES256-SHA512-521ECC
    [and/or any other combinations, but these might be "unbalanced"]

we currently *have* 3072 RSA/DSA strength (or 4096 RSA/ElG for
those wanting a bit of extra headroom); higher size DSA isn't in
any [e.g. NIST] standard, and >=4K RSA/ElG public key ops begin
to take a noticeable time even on my desktop (so while 7K RSA
keys are a simple source-change in GnuPG, ECC would definitely
make sense to achieve a balanced crypto system at this strength).

Now, for "embedded"/constrained systems there may only be the
chance to do AES128-SHA256-256ECC, which would conflict with my
"SHOULD" suggestion above.  So there would probably be scope for
the AES128 set to be a SHOULD as well, or even the MUST instead.

To be honest I think having AES256-SHA384-384ECC *and*
AES128-SHA256-256ECC in *some* form of MUST/SHOULD *is*
desirable: it covers both the two "Suite B" available
balanced set of algorithms, which may be important to
some people (and is certainly more "marketable" anyway).

I wouldn't personally "protest" if AES256-SHA512-521ECC
were also included, but I think anything more than these
three balanced sets is "silly."

Follow-Ups:
- Re: ECC in OpenPGP proposal
  - From: Jon Callas

Prev by Date: Re: ECC in OpenPGP proposal
Next by Date: Re: ECC in OpenPGP proposal
Previous by thread: Re: ECC in OpenPGP proposal
Next by thread: Re: ECC in OpenPGP proposal
Index(es):
- Date
- Thread