multiple subkeys and key transition

Robert J. Hansen rjh at
Fri Dec 10 00:55:57 CET 2010

On 12/9/2010 6:18 PM, Ben McGinnes wrote:
> The last bit of documentation I saw on ECC is a little old and stated
> that it wasn't well known enough to consider using.  I guess that's
> changed now.

Back in 2000 or so, the consensus was that ECC was too new and rested on
some dicey conjectures.  Since the proof of the Taniyama-Shimura
conjecture (or, as it's now called, Wiles' Theorem), ECC's theoretical
underpinnings seem to be on fairly solid ground.

The National Security Agency has approved ECC for use in its Suite B of
cryptographic algorithms, and has authorized it for protection of the
highest levels of state secrets (TS/SCI) when used with 384-bit ECC keys.

John's information (that Suite B was authorized for SECRET) is correct:
he was looking at the bit about Suite B that relates to 256-bit ECC keys.

> So my 4096-bit Elgamal key with an AES256 cipher would be somewhere
> between SECRET and TOP SECRET (discounting the real information
> security policies that are applied by any DoD/spook personnel, in
> either your country or mine).

The NSA is quite good about publishing its real information security
policies.  They have a *lot* of contractors who work with them, and
keeping the rules for how to secure classified information hidden would
ultimately only harm overall operational security.  They *want* people
to know the right way to take care of TS/SCI material.

They never want to hear someone say, "sure, I sent that TS/SCI file in
plaintext.  Wait, I wasn't supposed to do that?  I was never told!  Why
aren't those rules on your website?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101209/c04dc604/attachment.bin>

More information about the Gnupg-users mailing list