Re: Suggested changes for DSA2

Ian G <iang@systemics.com> Mon, 27 March 2006 13:43 UTC

Message-ID: <4427E67A.8050202@systemics.com>
Date: Mon, 27 Mar 2006 15:19:54 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013)
MIME-Version: 1.0
To: David Shaw <dshaw@jabberwocky.com>
Cc: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
Subject: Re: Suggested changes for DSA2
References: <20060326180218.12C8057FAE@finney.org> <20060326215531.GF30637@jabberwocky.com>
In-Reply-To: <20060326215531.GF30637@jabberwocky.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk

David Shaw wrote:
> On Sun, Mar 26, 2006 at 10:02:18AM -0800, "Hal Finney" wrote:
> 
> 
>>It's always a tricky question, how much we should try to enforce
>>security standards in a data-format document.  We do put minimum length
>>restrictions on the moduli to try to protect users against making one
>>kind of mistake, using a too-short key.  In the same way, I don't think
>>we should allow them to use a 160-bit q for a 3072-bit p.  This is the
>>spirit behind my suggestion to just allow the NIST sizes.
> 
> 
> I think we more or less agree on this.  My only sticking point is the
> idea of allowing people to do something other than the NIST sizes.
> How about we make the NIST sizes a SHOULD (like the minimum length
> restrictions are SHOULD NOTs), and add a sentence after that to read
> something like "Caution should be taken when deviating from the above
> parameters which were carefully chosen to balance the strength of the
> hash with the strength of the key." ?
> 
> That would seem to be the best of all worlds: we strongly advise
> people to use the NIST sizes, tell them why we want them to use the
> NIST sizes, but don't lock them down.

The question is more whether a receiving implementation
should / may read non-preferred sizes.  My inclination
is to reduce them wherever possible.  I've yet to see a
real case where it has been useful to have non-standard
sizes, and I've seen many cases where incompatibilities
have sprung from overly broad readings of what was allowed.

There's also no need for the standard to say this at all.
If there was a need for a variant, then the various
implementations can try it out and implement it as a non-
standard variant.

I would vote for just allowing a subset of the NIST sizes.
That is, something like an implementation MUST accept the
NIST set, and SHOULD reject all others.  If a need for a
variant comes up, the developers have to battle it out and
justify going up against the SHOULD.  If there is a clear
need, then they'll work it out.

iang

PS:  was it Bernstein who said, be precise in what you
output, and be precise in what you accept for input?

Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 Ben Laurie
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 Ian G
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 Daniel A. Nagy
Re: Suggested changes for DSA2 Jon Callas
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 Daniel A. Nagy
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 "Hal Finney"
Re: Suggested changes for DSA2 David Shaw
Re: Suggested changes for DSA2 David Shaw
Cost-benefit analysis of algorithm substitution Ian G