Cost-benefit analysis of algorithm substitution
Ian G <iang@systemics.com> Thu, 30 March 2006 14:31 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FOyB8-0007rs-O4 for openpgp-archive@lists.ietf.org; Thu, 30 Mar 2006 09:31:14 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FOy4y-0006sO-0W for openpgp-archive@lists.ietf.org; Thu, 30 Mar 2006 09:24:52 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2UDxLsN010672; Thu, 30 Mar 2006 06:59:21 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2UDxLpQ010671; Thu, 30 Mar 2006 06:59:21 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2UDxJxm010661 for <ietf-openpgp@imc.org>; Thu, 30 Mar 2006 06:59:20 -0700 (MST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id D9AFE5A40F; Thu, 30 Mar 2006 14:59:17 +0100 (BST)
Message-ID: <442BE3BC.8050002@systemics.com>
Date: Thu, 30 Mar 2006 15:57:16 +0200
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: OpenPGP <ietf-openpgp@imc.org>
Cc: Jon Callas <jon@callas.org>
Subject: Cost-benefit analysis of algorithm substitution
References: <20060326180218.12C8057FAE@finney.org> <20060326215531.GF30637@jabberwocky.com> <4427E67A.8050202@systemics.com> <20060327150120.GA25414@jabberwocky.com> <20060327154427.GC7346@epointsystem.org> <23598E55-F454-4ED8-B3C7-7B716FDC3205@callas.org>
In-Reply-To: <23598E55-F454-4ED8-B3C7-7B716FDC3205@callas.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Jon Callas wrote: > > On 27 Mar 2006, at 7:44 AM, Daniel A. Nagy wrote: > >> I agree with David here. The standard's purpose is to ensure >> interoperability. It should tell us the sematics behind sequences of >> bytes. >> It is up to the implementation to make decisions based on these >> semantics. >> Valid reasons to exclude certain combinations from the standard include >> ambiguity of interpretation, inherent insecurity or a wide installed >> base of >> incompatible implementations, but not the possibility of weird uses, >> IMHO. >> > > I agree as well with both Davids. Well, I can see I've lost the consensus battle on this one - but I would propose that the purpose of the ID is security, over and above interoperability, and that is an entirely valid reason to exclude "Weird Uses." In general, with security, the less choice the better. > As an observation, in 2440 one of the things we allowed was deviation > from DSS because the rough consensus had a certain amount of grumpiness > with the US Government. In practice, hardly anyone did anything > different with DSA than DSS. We even removed hash functions. > > Many things have changed in the last decade, but toeing the exact NIST > line or even being like them only moreso is going a bit too far. In the > next decade, we're going to see a lot of advancement in hash functions. > Someone is going to want to use those new hash functions with DSA, and > it would be nice to be able to move faster than NIST. As to the political circumstances of the past, it is true that the community did certain daft things that reduced security in response to the USG's own set of daft things that reduced security. It's definately not good to follow either lead... > Let's suppose someone comes up with a new hash function that is 251 > bits. (I picked 251 because it's prime and less than 256.) We don't > want a constitutional crisis over using it. We want to be flexible > enough that it's pretty obvious how to extend OpenPGP to use new hash > functions with DSA. It seems that PGP's design bends over backwards to be flexible. It's a lot of fun for crypto- plumbers; in fact it looks like it has been designed as a toykit for programmers to muck around with algorithms. In practice, though, this flexibility seems to rarely be used in any sensible way. And, again, in practice, this flexibility causes endless discussions on this mailgroup - as seen this week - and other places where implementors and users try and figure what goes with what. It all takes up time from other important things. So I guess what I'm saying is ... all this flexibility ... how many times has it been used to advantage, and how many times to disadvantage? What's the cost-benefit analysis here? iang
- Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ben Laurie
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Ian G
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 Jon Callas
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 Daniel A. Nagy
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 "Hal Finney"
- Re: Suggested changes for DSA2 David Shaw
- Re: Suggested changes for DSA2 David Shaw
- Cost-benefit analysis of algorithm substitution Ian G