Re: [openpgp] Proposed Patch to RFC4880bis to reserve two public key numbers

"Derek Atkins" <> Thu, 07 July 2016 11:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A1D2D12D74A for <>; Thu, 7 Jul 2016 04:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z4KGAc92nIlt for <>; Thu, 7 Jul 2016 04:21:47 -0700 (PDT)
Received: from (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CB44D12D73F for <>; Thu, 7 Jul 2016 04:21:33 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D4437E2043; Thu, 7 Jul 2016 07:21:31 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-maia, port 10024) with ESMTP id 14487-07; Thu, 7 Jul 2016 07:21:28 -0400 (EDT)
Received: by (Postfix, from userid 48) id 97F65E2042; Thu, 7 Jul 2016 07:21:28 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1467890488; bh=PKXPHxgx3uamK1ygudROFF+veRNnkYoIqC5qaMvVh1Q=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=NnCjKnh1ixE+WSb5QIxBHLVKU+OnsIMUMQk5JvhX+PCGlZvrrLOWHs2yweaR9iTDA BdUZO4dYk3Oq/P/YLQE56ZWOa38Aey0J7tCO+WuzJt7lJIefJER2Vnuwl2Ryn8D1N7 2Ubmi4GO3pkEq9vScIwLq/cUJwmpS9eswFlrAMBw=
Received: from (SquirrelMail authenticated user warlord) by with HTTP; Thu, 7 Jul 2016 07:21:28 -0400
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Date: Thu, 07 Jul 2016 07:21:28 -0400
From: Derek Atkins <>
To: Stephen Farrell <>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <>
Cc:, Derek Atkins <>
Subject: Re: [openpgp] Proposed Patch to RFC4880bis to reserve two public key numbers
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jul 2016 11:21:49 -0000


On Thu, July 7, 2016 5:23 am, Stephen Farrell wrote:
> I forget if this cfrg posting [1] on AE was made visible here
> or not. Apologies if this is repetitive but that posting from
> Kenny Paterson on 20151113 seems quite relevant as it says:
> "
> My colleague Simon Blackburn and his collaborators have just
> published an attack on the Algebraic Eraser scheme, breaking the
> scheme at the designers' claimed 128-bit security level. Their
> attack recovers the shared key using 8 CPU hours and 64MB of
> memory. Their paper is here:

And there was a paper published in response to this:

> With no hats, I'd be against adding an algorithm, even as an
> option, if there are current serious questions about it's real
> security level. I do get the arguments for and against, but in
> such cases am against adding codepoints where there is no way
> to flag the codepoint as "likely dangerous" or some other
> similarly negative/scary warning. And while it's good to go to
> the effort to deprecate old codepoints that are now likely
> dangerous, I don't see that it's a good idea to add new ones
> "born" in that state.

Note again that it's just reserving the number; it's completely


> Putting my AD hat back on: if the WG do reach consensus to
> add such codepoints, then when it comes time to publish, I'll
> be looking back to the list to ensure that consensus was very
> clear on the list. For the AE ones, that's clearly happening
> via this thread which is fine process-wise, assuming more folks
> opine and the chairs declare consensus. I'm just noting that
> so we ensure the same clarify if there are other similarly
> contentious codepoint requests in order to avoid having to
> revisit stuff at publication time.

Frankly, we are already using code point 23 in production. I grabbed that
point years ago when I wrote the original I-D and posted it here (in
coordination with Werner, who grabbed 22 for EdDSA), well before this WG
reopened.  I doubt there will be a large contingent looking to implement
it, which is fine.  But I'd like to make sure nobody else uses that code

       Derek Atkins                 617-623-3745   
       Computer and Internet Security Consultant