IETF Logo Mail Archive

Re: Suggested changes for DSA2

David Shaw <dshaw@jabberwocky.com> Wed, 29 March 2006 16:57 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOdzH-00054r-Gu for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 11:57:39 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOdzH-0006Cq-2b for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 11:57:39 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TGXXfg053037; Wed, 29 Mar 2006 09:33:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2TGXXxF053036; Wed, 29 Mar 2006 09:33:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TGXWXH053030 for <ietf-openpgp@imc.org>; Wed, 29 Mar 2006 09:33:32 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2TGXVk30758; Wed, 29 Mar 2006 11:33:31 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.6/8.13.5) with ESMTP id k2TGXYC4026622; Wed, 29 Mar 2006 11:33:34 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2TGXPos001136; Wed, 29 Mar 2006 11:33:25 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2TGXM3b001135; Wed, 29 Mar 2006 11:33:22 -0500
Date: Wed, 29 Mar 2006 11:33:22 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: Suggested changes for DSA2
Message-ID: <20060329163322.GA1001@jabberwocky.com>
Mail-Followup-To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060328235058.9FD9857FAE@finney.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20060328235058.9FD9857FAE@finney.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4

On Tue, Mar 28, 2006 at 03:50:58PM -0800, "Hal Finney" wrote:
> David Shaw wrote:

> > How about this (presumably for the Security Considerations section):
> >
> >    As OpenPGP combines many different asymmetric, symmetric, and hash
> >    algorithms, each with different measures of strength, care should
> >    be taken that the weakest element of an OpenPGP message is still
> >    sufficiently strong for the purpose at hand.  Implementations
> >    receiving messages SHOULD indicate to the user the actual strength
> >    of the messages.  While consensus about the the strength of a given
> >    algorithm may evolve, at publication time, NIST Special Publication
> >    800-57 [SP800-57] recommended the following list of equivalent
> >    strengths:
> >
> >        [ put table here ]
> 
> I like this general direction, but I don't think it will work to indicate
> to users the actual strength of message encryptions or signatures.
> There is no convenient way to express this information that will be
> understandable to the layman.  We could say that a DSA1 signature has 80
> bits of strength, and a 2048 bit RSA encryption using AES-256 has 112 bits
> of strength, but that is too technical and also in most cases too much
> information.  It's also non-standard practice in crypto implementations
> to provide this information, and I don't feel comfortable putting in
> a requirement for something this novel, without having experience to
> justify it.

I actually think this may well be simpler than what we have now.
Right now GPG says things like "Signature made with 4096-bit RSA key"
and optionally "Hash used was SHA-1" and such.  I don't have a copy of
PGP handy at the moment to check, but I recall it doesn't say either.
Saying something like "This signature is 80 bits strong" would
actually give a single, reasonably accurate number to indicate
relative strength.  I doubt many users can translate "4096 bit RSA
with SHA-1" into a strength value they can compare with other strength
values.

However, you're quite right that it is a large step to make such a
thing a SHOULD without any experience to justify it first.  Certainly
any implementation that wants to experiment down that route can do so
without any special mandate in the standard.

Dropping the notification SHOULD from the change gives this (for the
Security Considerations section):

   As OpenPGP combines many different asymmetric, symmetric, and hash
   algorithms, each with different measures of strength, care should
   be taken that the weakest element of an OpenPGP message is still
   sufficiently strong for the purpose at hand.  While consensus about
   the the strength of a given algorithm may evolve, at publication
   time, NIST Special Publication 800-57 [SP800-57] recommended the
   following list of equivalent strengths:

      [ put table here ]

This is perhaps stating the obvious, but I think still worth
mentioning.

> > I'm still in favor of making the NIST list a SHOULD for generating
> > DSA2 keys, of course.
> 
> Okay, well, maybe the rest of it is too complex to deal with for now.

Ok.  I'll roll together a change take 4 and send it to the list.

David

v2.23.0 | Report a Bug | By Email