[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECC in OpenPGP proposal

To: ietf-openpgp@xxxxxxx
Subject: Re: ECC in OpenPGP proposal
From: "David Crick" <dacrick@xxxxxxxxx>
Date: Sat, 1 Mar 2008 12:44:23 +0000
Cc: "Andrey Jivsov" <openpgp@xxxxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Klvn1HOv+K9p/TGxgJ9JUzV86fRRNDOYMbMxxG9v8cc=; b=cWbYSnrqG1oLZDFo3ExXKAGldoXNU9DDEapridD1DvyE3aSbtmdbXQQuhJXv0CoNbe/2Shjop5p3nKiTj7dL/7NbaslNlUXaX1g3xb8gbljPDCpkBVcNM2HxgZSicw9yO6XygmSbYd4OHLgIdToWF/DWzV7kI0Zso2qulBcXvgw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uYloaQzddwWe04D9XMIowOpLIYHlkJXKDKym+77FAUDBlYc39XjxXS6TNJ3YHHm0suI1g+trm/MNcFNHluje2fdjZhdPvCBPhI7+j5vG/2i0v/a88y2ySW2ho1LsEa4yu3C/ZNtoBXYHOOa6KDkvwYmNEH816Zr0ofHGiVRAMYA=
In-reply-to: <47C8EB4B.9010909@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <117bad160802281102q315f490di4344ec5af6c05620@xxxxxxxxxxxxxx> <EF602543-DFBD-4544-AA34-4096E7FF3264@xxxxxxxxxx> <47C7FDEA.5070103@xxxxxxxxxxxxx> <117bad160802290516u4c204142n6427d5fccb6a60f4@xxxxxxxxxxxxxx> <47C82549.8080703@xxxxxxxxxxxxx> <117bad160802290820x4050e635kaf6d6d637149c4a9@xxxxxxxxxxxxxx> <47C8777F.2020702@xxxxxxxxxxxx> <117bad160802291622p5a2acab6obf56c8cce54aed2d@xxxxxxxxxxxxxx> <47C8EB4B.9010909@xxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

On 3/1/08, Andrey Jivsov <openpgp@xxxxxxxxxxxx> wrote:
> David Crick wrote:
>  > The ecc-pre-6.txt's section 2 pretty much says "this is how to
>  > do ECC with AES," and we've said that this proposal is a "MAY."
>  > In a sense this is therefore some kind of a fork (sub-superset?)
>  > of 4880, so we're not concerned with 3DES (or CAST), and - as
>  > with DSA - we can make specific restrictions in order to meet
>  > compliance.

(further to my point above, if we really want ECC to support
3DES then the ECC document needs to be updated for that)

> I think we need to be careful here. Let's examine a use case.
>
>  I am a user of some RFC 4880 OpenPGP application. All algorithms are
>  available to me, e.g. I am not a government employee.
>
>  * I use the application to encrypt mail to 5 recipients, my friends.
>  They use RSA/DSA/ElGamal keys.
>
>  * I upgraded the application to the next version that happened to
>  implement "ECC in OpenPGP".
>
>  I assume that we agree that if I encrypt to exactly the same 5 people
>  with new version, as far as algorithm selection is concerned, the result
>  is identical to the previous version.
>
>  * I added 6th recipient to the list, which uses ECDH key.
>
>  I hope we will agree that it must be possible to send single e-mail to 6
>  recipients. RFC 4880 specifies that the default encryption algorithm is
>  3DES, thus, there is always a match. Why shouldn't single e-mail be sent
>  to 6 recipients with 3DES symmetric key?

I use PGP 2.6, I upgrade to PGP 5.0.  Shiny new DH/DSS
keys - but no RSA support!  Until the RSA patent expired
(well, was placed prematurely into the public domain) we
ran parallel systems and/or kept "old" and "new" keys.

Even now with 3DES as a must, we have this delightful
phrase in 4880:

"Implementations MUST implement TripleDES.  Implementations SHOULD
implement AES-128 and CAST5.  Implementations that interoperate with
PGP 2.6 or earlier *need to* support IDEA, as that is the only symmetric
cipher those versions use.  Implementations MAY implement any other
algorithm."

"need to"!

But, NB, "might not be able to" - due to the IDEA patent.

I seem to recall one of the PGP (5+) versions popping up
a message about mixed V3/V4 (or RSA/DH) keys when I
attempted to encrypt something (or maybe it was due to
an IDEA/3DES conflict).  (Maybe Jon can confirm my vague
recollections here?)

>  If the application is operating in Suite-B mode, or FIPS more, etc, then
>  the situation is different.

right.

> RFC 4880 currently grants to a user of embedded device a method to say
>  "don't do AES-256 to me" by using cipher preferences that exclude AES
>  256. We should respect this. We cannot change the fact that there are
>  hardware platforms that don't implement or don't like AES 256.

OK, but they SHOULD support AES-128 (which would make
a 128-256-256 ECC MUST not seem absolutely unworkable).

Question: how "interoperable" do these "embedded devices"
need to be with the rest of the world?

References:
- Re: ECC in OpenPGP proposal
  - From: David Crick
- Re: ECC in OpenPGP proposal
  - From: Jon Callas
- Re: ECC in OpenPGP proposal
  - From: Ian G
- Re: ECC in OpenPGP proposal
  - From: Ian G
- Re: ECC in OpenPGP proposal
  - From: David Crick
- Re: ECC in OpenPGP proposal
  - From: Andrey Jivsov
- Re: ECC in OpenPGP proposal
  - From: David Crick
- Re: ECC in OpenPGP proposal
  - From: Andrey Jivsov

Prev by Date: Thoughts and suggestions on V5 key format
Next by Date: Re: ECC in OpenPGP proposal
Previous by thread: Re: ECC in OpenPGP proposal
Next by thread: Re: ECC in OpenPGP proposal
Index(es):
- Date
- Thread