IETF Logo Mail Archive

Cost-benefit analysis of algorithm substitution

Ian G <iang@systemics.com> Thu, 30 March 2006 14:31 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOyB8-0007rs-O4 for openpgp-archive@lists.ietf.org; Thu, 30 Mar 2006 09:31:14 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOy4y-0006sO-0W for openpgp-archive@lists.ietf.org; Thu, 30 Mar 2006 09:24:52 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2UDxLsN010672; Thu, 30 Mar 2006 06:59:21 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2UDxLpQ010671; Thu, 30 Mar 2006 06:59:21 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2UDxJxm010661 for <ietf-openpgp@imc.org>; Thu, 30 Mar 2006 06:59:20 -0700 (MST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id D9AFE5A40F; Thu, 30 Mar 2006 14:59:17 +0100 (BST)
Message-ID: <442BE3BC.8050002@systemics.com>
Date: Thu, 30 Mar 2006 15:57:16 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: OpenPGP <ietf-openpgp@imc.org>
Cc: Jon Callas <jon@callas.org>
Subject: Cost-benefit analysis of algorithm substitution
References: <20060326180218.12C8057FAE@finney.org> <20060326215531.GF30637@jabberwocky.com> <4427E67A.8050202@systemics.com> <20060327150120.GA25414@jabberwocky.com> <20060327154427.GC7346@epointsystem.org> <23598E55-F454-4ED8-B3C7-7B716FDC3205@callas.org>
In-Reply-To: <23598E55-F454-4ED8-B3C7-7B716FDC3205@callas.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a

Jon Callas wrote:
> 
> On 27 Mar 2006, at 7:44 AM, Daniel A. Nagy wrote:
> 
>> I agree with David here. The standard's purpose is to ensure
>> interoperability. It should tell us the sematics behind sequences  of 
>> bytes.
>> It is up to the implementation to make decisions based on these  
>> semantics.
>> Valid reasons to exclude certain combinations from the standard  include
>> ambiguity of interpretation, inherent insecurity or a wide  installed 
>> base of
>> incompatible implementations, but not the possibility of weird  uses, 
>> IMHO.
>>
> 
> I agree as well with both Davids.

Well, I can see I've lost the consensus battle on
this one - but I would propose that the purpose of
the ID is security, over and above interoperability,
and that is an entirely valid reason to exclude
"Weird Uses."

In general, with security, the less choice the better.

> As an observation, in 2440 one of the things we allowed was deviation  
> from DSS because the rough consensus had a certain amount of  grumpiness 
> with the US Government. In practice, hardly anyone did  anything 
> different with DSA than DSS. We even removed hash functions.
> 
> Many things have changed in the last decade, but toeing the exact  NIST 
> line or even being like them only moreso is going a bit too far.  In the 
> next decade, we're going to see a lot of advancement in hash  functions. 
> Someone is going to want to use those new hash functions  with DSA, and 
> it would be nice to be able to move faster than NIST.

As to the political circumstances of the past, it is
true that the community did certain daft things that
reduced security in response to the USG's own set of
daft things that reduced security.  It's definately
not good to follow either lead...

> Let's suppose someone comes up with a new hash function that is 251  
> bits. (I picked 251 because it's prime and less than 256.) We don't  
> want a constitutional crisis over using it. We want to be flexible  
> enough that it's pretty obvious how to extend OpenPGP to use new hash  
> functions with DSA.

It seems that PGP's design bends over backwards
to be flexible.  It's a lot of fun for crypto-
plumbers;  in fact it looks like it has been
designed as a toykit for programmers to muck
around with algorithms.

In practice, though, this flexibility seems to
rarely be used in any sensible way.

And, again, in practice, this flexibility causes
endless discussions on this mailgroup - as seen
this week - and other places where implementors
and users try and figure what goes with what.

It all takes up time from other important things.

So I guess what I'm saying is ... all this
flexibility ... how many times has it been used
to advantage, and how many times to disadvantage?

What's the cost-benefit analysis here?

iang

v2.23.0 | Report a Bug | By Email