Re: Suggested changes for DSA2
David Shaw <dshaw@jabberwocky.com> Wed, 29 March 2006 16:57 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOdzH-00054r-Gu for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 11:57:39 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOdzH-0006Cq-2b for openpgp-archive@lists.ietf.org; Wed, 29 Mar 2006 11:57:39 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TGXXfg053037; Wed, 29 Mar 2006 09:33:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2TGXXxF053036; Wed, 29 Mar 2006 09:33:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2TGXWXH053030 for <ietf-openpgp@imc.org>; Wed, 29 Mar 2006 09:33:32 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2TGXVk30758; Wed, 29 Mar 2006 11:33:31 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.6/8.13.5) with ESMTP id k2TGXYC4026622; Wed, 29 Mar 2006 11:33:34 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2TGXPos001136; Wed, 29 Mar 2006 11:33:25 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2TGXM3b001135; Wed, 29 Mar 2006 11:33:22 -0500
Date: Wed, 29 Mar 2006 11:33:22 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: Suggested changes for DSA2
Message-ID: <20060329163322.GA1001@jabberwocky.com>
Mail-Followup-To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060328235058.9FD9857FAE@finney.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20060328235058.9FD9857FAE@finney.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
On Tue, Mar 28, 2006 at 03:50:58PM -0800, "Hal Finney" wrote: > David Shaw wrote: > > How about this (presumably for the Security Considerations section): > > > > As OpenPGP combines many different asymmetric, symmetric, and hash > > algorithms, each with different measures of strength, care should > > be taken that the weakest element of an OpenPGP message is still > > sufficiently strong for the purpose at hand. Implementations > > receiving messages SHOULD indicate to the user the actual strength > > of the messages. While consensus about the the strength of a given > > algorithm may evolve, at publication time, NIST Special Publication > > 800-57 [SP800-57] recommended the following list of equivalent > > strengths: > > > > [ put table here ] > > I like this general direction, but I don't think it will work to indicate > to users the actual strength of message encryptions or signatures. > There is no convenient way to express this information that will be > understandable to the layman. We could say that a DSA1 signature has 80 > bits of strength, and a 2048 bit RSA encryption using AES-256 has 112 bits > of strength, but that is too technical and also in most cases too much > information. It's also non-standard practice in crypto implementations > to provide this information, and I don't feel comfortable putting in > a requirement for something this novel, without having experience to > justify it. I actually think this may well be simpler than what we have now. Right now GPG says things like "Signature made with 4096-bit RSA key" and optionally "Hash used was SHA-1" and such. I don't have a copy of PGP handy at the moment to check, but I recall it doesn't say either. Saying something like "This signature is 80 bits strong" would actually give a single, reasonably accurate number to indicate relative strength. I doubt many users can translate "4096 bit RSA with SHA-1" into a strength value they can compare with other strength values. However, you're quite right that it is a large step to make such a thing a SHOULD without any experience to justify it first. Certainly any implementation that wants to experiment down that route can do so without any special mandate in the standard. Dropping the notification SHOULD from the change gives this (for the Security Considerations section): As OpenPGP combines many different asymmetric, symmetric, and hash algorithms, each with different measures of strength, care should be taken that the weakest element of an OpenPGP message is still sufficiently strong for the purpose at hand. While consensus about the the strength of a given algorithm may evolve, at publication time, NIST Special Publication 800-57 [SP800-57] recommended the following list of equivalent strengths: [ put table here ] This is perhaps stating the obvious, but I think still worth mentioning. > > I'm still in favor of making the NIST list a SHOULD for generating > > DSA2 keys, of course. > > Okay, well, maybe the rest of it is too complex to deal with for now. Ok. I'll roll together a change take 4 and send it to the list. David
- Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ben Laurie
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ian G
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 Jon Callas
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Cost-benefit analysis of algorithm substitution Ian G