On Thu, 2 May 2024 14:27, Andrew Gallagher said: > This is an enormous set of initial combinations, not all of which make > any sense. Why suggest pairing P-256 curves with kyber1024? Do we need
I already mentipned that this list is up for discussion. Well, except for the SHOULDs which at least need to stay in the list. There are no MUSTs here because PQC algorithms are not mandatory and needed for all applications. Instead implementations should decide what to do. > all three grades of brainpool and NIST? The four SHOULDs and the > corresponding two NIST equivalents are plenty. The Brainpool curves are needed and not subject to discussion. Adding different codepoints for the same algorithm (ECC-KEM + ML-KEM aka Kyber) is a major implementation hassle and diverts from existing OpenPGP protocol behaviour. There is one code point for RSA, one for DSA, one for Elgamal, one for ECDH, one for ECDSA, one for EdDSA, and now one for Kyber. They all have different parameters: either length of parameters or an OID for the curev parameters (which are too large to include in all keys). Thus it is natural to do the same for Kyber. After all we are not TLS with its hunderds of codepoints for algorithms. Adding more codepoints to TLS is also the natural way - for TLS. > Once again I’ll beg you to please implement the Kousidis, Strenzke and > Wussler spec instead of making trivial changes to their assigned The changes might sound trivial but I explained them above. They come from an implementer with a specific and practical knowledge of OpenPGP protocol needs. The actual algorithm and cryptography has not changed because that is not my specific knowledge. That is how OpenPGP has always been extended - let the crypto folks do the math and the coders the implementation. > numbers in order to start a pointless and exhausting fight with the > IETF WG over ownership of the registry. If we need to allocate four We can't wait another 9 years for a simple crypto enhancement. We need a new identifier NOW and need to get it used. After a discussion with the BSI we will temporary add a notification to Kyber keys created according to the current ML-KEM draft. Just in case the NIST decides to do some final changes we can the detect keys created according to the current draft and sort them out. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
