Re: Why ECC?

Rodney Thayer <rodney@tillerman.to> Tue, 24 September 2002 15:43 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03129 for <openpgp-archive@lists.ietf.org>; Tue, 24 Sep 2002 11:43:40 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8OFZ9O23546 for ietf-openpgp-bks; Tue, 24 Sep 2002 08:35:09 -0700 (PDT)
Received: from yancy.pkiclue.com (IDENT:root@yancy.pkiclue.com [209.172.115.117]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8OFZ7v23542 for <ietf-openpgp@imc.org>; Tue, 24 Sep 2002 08:35:07 -0700 (PDT)
Received: from rt-dt.pkiclue.com (IDENT:root@LOCALHOST [127.0.0.1]) by yancy.pkiclue.com (8.9.3/8.9.3) with ESMTP id IAA22293 for <ietf-openpgp@imc.org>; Tue, 24 Sep 2002 08:35:04 -0700
Message-Id: <5.1.1.6.2.20020924082608.028bd5f8@127.0.0.1>
X-Sender: pkiclue@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Date: Tue, 24 Sep 2002 08:30:28 -0700
To: ietf-openpgp@imc.org
From: Rodney Thayer <rodney@tillerman.to>
Subject: Re: Why ECC?
In-Reply-To: <200209241518.DAA52964@ruru.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

At 03:18 AM 9/25/2002 +1200, Peter Gutmann wrote:
>Rodney Thayer <rodney@tillerman.to>; writes:
>
> >Why do we want ECC in OpenPGP?
>
>Because it already contains every algorithm anyone could think of anyway, 
>and a
>few more for implementors to ignore wouldn't matter?

Well as I see it there's the "lifeboat" principle.  If someone, somewhere,
publishes a 3-line perl script that breaks 2048 bit RSA, we'd like to have
a second public key algorithm in the protocol spec so we could switch over.

This has two problems:

-- the powers that be in the IETF tend to spit in your eye when you propose
this class of logic.  Been there, tried that.  They assume RSA is immortal.

-- we alread have DSA for that.  (Well if we want to claim RSA and DSA are
structurally related we don't but that's not the question at hand)

The second thing we're doing is violating the "it should be implementable"
principle.  These RFC's are supposed to be buildable by normal mortals.
Adding 80,000 bells and whistles is stupid -- we get specs that are
hard to implement, hard to interoperate, and hard to read (for things
like security flaws).

So, I come back to my question -- why do we want ECC?  If there isn't
a requirement it fulfills it shouldn't be in the standard -- it just
takes up space and causes problems.