Re: [openpgp] First 4880bis drafts

Ian G <> Thu, 05 November 2015 19:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BF1141B2C04 for <>; Thu, 5 Nov 2015 11:30:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xGhnjVmbx8ZL for <>; Thu, 5 Nov 2015 11:30:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 491FC1A87BC for <>; Thu, 5 Nov 2015 11:30:54 -0800 (PST)
Received: from Agent86.local ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 842F56D748; Thu, 5 Nov 2015 14:30:53 -0500 (EST)
References: <> <20151104182705.86af2e43c8@baae13974eb4556> <>
From: Ian G <>
Message-ID: <>
Date: Thu, 05 Nov 2015 19:30:52 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [openpgp] First 4880bis drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Nov 2015 19:30:55 -0000

On 05/11/2015 01:30, brian m. carlson wrote:
> On Wed, Nov 04, 2015 at 06:34:33PM +0100, Aaron Zauner wrote:
>> * Werner Koch <> [04/11/2015 12:51:25] wrote:
>>>     o  Added Camellia cipher from RFC 5581.
>> Hrm. I'm against this.


>> CAMELLIA is going to be deprecated in e.g.
>> TLS because barely anyone uses it. I'm explicitly excluding anything
>> other than AES128 or 256 from my GnuPG config currently, I haven't
>> noticed any breakage in almost a year:
> As Werner pointed out, Camellia has been around for some time.

Whatever - let implementations provide Camellia if they want to; they 
will to handle archives and so forth.

The *standard* should do better, work for the benefit of all.

The standard should have an aggressive role in deprecation.

> It's
> also good to have enough diversity that if someone comes out with a
> major attack against AES, we're not totally sunk.

This is hypothetical.  It's never happened in our time.  Our 
cryptographers are better than that, let's rely on them.

> Camellia is a Feistel
> cipher, while AES is a substitution-permutation network, which means
> that attacks are unlikely to work against both.

Sorry - can we worry about realistic user problems not hypothetical 
academic issues?

> Currently, if AES were to be broken, TLS implementations would not
> interoperate at a 128-bit or higher security level.  OpenPGP would
> continue to function without much thought, which is a major asset.

? AES isn't going to be broken.  Software is going to be buggy - let's 
reduce complexity. Protocols might be flawed, let's make it simpler.  
But AES broken?  No.  Get realistic.

> I'm for deprecating algorithms which provide less than a 128-bit
> security level, such as SHA-1 and 3DES.

It is the case that we face a threat around the 80 bit mark.  Sure.

So, I'd suspect we're going to set a mark for future OpenPGP at the 256 
bit level.  This would have been a no-brainer until recent NSA Suite B 
news.  Does anyone have a feeling for where we'd like to draw the line now?