[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECC curve ID

To: Andrey Jivsov <openpgp@xxxxxxxxxxxx>
Subject: Re: ECC curve ID
From: Werner Koch <wk@xxxxxxxxx>
Date: Mon, 05 May 2008 12:06:15 +0200
Cc: ietf-openpgp@xxxxxxx
In-reply-to: <4808ECD9.8050204@xxxxxxxxxxxx> (Andrey Jivsov's message of "Fri, 18 Apr 2008 11:47:53 -0700")
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Openpgp: id=5B0358A2; url=finger:wk@xxxxxxxxxxx
Organisation: g10 Code GmbH
References: <87lk564ctl.fsf@xxxxxxxxxxxxxxxxxxxxx> <47C5F2BD.6030003@xxxxxxxxxxxx> <87r6d4eu4g.fsf@xxxxxxxxxxxxxxxxxxxxx> <4808ECD9.8050204@xxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7)

On Fri, 18 Apr 2008 20:47, openpgp@xxxxxxxxxxxx said:

> Pros for OpenPGP IDs.
>
> 1) Vote of confidence for a particular curve. If it is included,
> potential implementers have agreed on it. It will be more likely
> widely supported. For example this is useful for hardware folks who
> plan far ahead, plays in the decisions about which curve to use in key
> self-signatures, and gives priorities to performance optimizations.

The same can be said of OIDs.

> 2) Shorter public keys, faster, smaller code (switch() v.s. memcmp()).

Well, okay.

> 3) consistency with the way OpenPGP references other algorithms.

Only if we agree that a curveID describes an OpenPGP algorithm.  In my
view this is a parameter of the algorithm, much like p, q and g in DSA
or even the key size of all aglgorithms.

For sure I do not want to convey all ECC curve parameters, thus using a
way to describe the curve is important.

> 4) Named curves can be introduced as an extension. The core set of
> curves will be encoded as integers, others as named curves.

I thought of that and was about to propose a format using an ID of 0 to
identify a named curve.  However the specification as well as the code
will be more complicated - even in the case that named curves are not
supported by the implementation.  

> Do you see any value in having some approval process for new curves?
> Does it bother you that I can use some questionable curve and it will
> carry equal status per the spec to the three curves we discussed so
> far (will we have a method to distinguish "next good" curve past P-521
> from an experimental curve) ?

No.  We also don't approve implementations and have no real limits on
key sizes.  It is easy to get things wrong.  Using a good curve is as
important as to use sound parameters for RSA.

> Can we reach an agreement if the document also defined a method to
> list named curves, along the lines of Werner's proposal?

If there is no other way to allow for arbitrary curves, I would agree to
it. However, I still believe that an OID with a memcmp in the code is
easier to implement than a numeric ID with a switch and a mechnism to
cope withe the optional OID named curve.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

References:
- ECC curve ID
  - From: Werner Koch
- Re: ECC curve ID
  - From: Andrey Jivsov
- Re: ECC curve ID
  - From: Werner Koch
- Re: ECC curve ID
  - From: Andrey Jivsov

Prev by Date: Re: OpenPGP keys and Suite-B
Next by Date: Re: OpenPGP keys and Suite-B
Previous by thread: Re: ECC curve ID
Next by thread: Thoughts and suggestions on V5 key format
Index(es):
- Date
- Thread