riseup.net OpenPGP Best Practices article

Robert J. Hansen rjh at sixdemonbag.org
Fri Jul 4 06:08:04 CEST 2014


> I think you're talking about personal-cipher-preferences here, which
> Alice uses to govern the cipher she uses.

Correct.

> Note that she could even put IDEA first here.

Sure, but it wouldn't take unless Bob had IDEA in his preference list.
If Bob's preference list is AES256 CAMELLIA256 3DES, then if Alice's
choice of IDEA will be ignored.  The choice of 3DES won't be, which is
why 3DES is relevant here.

> actually advertise all ciphers her openPGP implementation is capable of?

I'm saying only that she puts 3DES ahead of Bob's preferred 256-bit
ciphers in her personal-cipher-preferences.

Bob is all about "I must have at least 256 bits of keyspace in all my
email!"  But Bob can't do that, because Alice can *always* degrade him
to 112 bits by choosing 3DES.  And since Bob is the target, and since
we're assuming the enemy is well-financed and professional and capable
of tricking people, Bob needs to stop thinking he can somehow guarantee
256 bits of keyspace in his emails.

Bob can guarantee 256 bits of keyspace in *what he generates*.

Bob cannot guarantee 256 bits of keyspace in *what he receives*.

Telling people to use extremely large keys because "then your
correspondents will be using RSA-ungodly, which has an effective
something-ridiculous keyspace" sounds nice, but it's not true.  Bob can
only guarantee up to 112 bits of keyspace in the traffic that gets sent
to him, because Bob can't prohibit his correspondents from using 3DES.

Anyone who simply, glibly, says "use long certificates because they give
a larger effective keyspace," is committing fraud, IMO.  You're making
promises that aren't true and which you can't back up.

"Using long certificates *may* give a larger effective keyspace, but
really, you can only ever be certain of 112 bits of keyspace, so you
should design your security model such that it only relies on 112 bits
of keyspace" is accurate.  But I think if long certificates were to be
marketed that way, a lot of people would blink a few times and ask,
"well, what's the point, then?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140704/076ed7e8/attachment.sig>


More information about the Gnupg-users mailing list