David Shaw | 1 May 02:13 2007

Re: Camellia for OpenPGP


On Tue, Apr 24, 2007 at 11:48:44AM +0900, Hironobu SUZUKI wrote:
> 
> 
> > 
> > 	You MAY implement Camillia. [ref]
> > 	Cipher number is 11.
> > 
> 
> That's good.
> 
>  	You MAY implement Camillia with 256-bit key. [ref]
>  	Cipher number is 11.
> 
> It would be perfect.

If nobody objects, I thought I'd have a crack at putting together a
draft for this.  I've been meaning to learn the xml2rfc stuff anyway.

I notice you're just mentioning Camellia with a 256-bit key, which
leaves out the 128 or 192-bit keys.  I don't disagree, but I'm curious
if that was intentional.

128 is okay, but 192-bit keys in OpenPGP strike me a bit as "neither
here nor there" (I argued to keep AES-192, but that had already been
deployed in the field).

David

(Continue reading)

Hironobu SUZUKI | 1 May 05:08 2007
Picon

Re: Camellia for OpenPGP


> But, if some disclosure document for OpenPGP is required, I ask it
> NTT.  I estimate that it takes 2 or 3 weeks to get it.

I contacted to NTT about issuing IPR for OpenPGP WG as well as IPSEC,
S/MIME, TLS.  They accepted it and IPR for OpenPGP will be issued for
a while.

Regards,

---
Hironobu SUZUKI <hironobu at h2np dot net><hironobu at fsij dot org>
Hironobu SUZUKI Office, Inc. / FSIJ / WCLSCAN / OpenPKSD
Tokyo, Japan.
http://h2np.net

Hironobu SUZUKI | 1 May 05:49 2007
Picon

Re: Camellia for OpenPGP


David,

> I notice you're just mentioning Camellia with a 256-bit key, which
> leaves out the 128 or 192-bit keys.  I don't disagree, but I'm
> curious if that was intentional.

Yes, intentional. I chose Camellia-256 by the point of view of
marketing.

I found that may people had selected TLS/AES-256 ciphersuite for their
https when they could use it under their system. Many people think
"more strong cipher for me".  I know that it is overkill for thier
security.  But most important thing is "to supply what users want to
get".

And there are many 128-bit ciphers which are already used. People will
use a cipher that they used to using.  But in 256-bit ciphers, there
only two ciphers except Camellia and many people aren't familiar with
256-bit cipher yet. In that situation, it will be easy to accept
Camellia-256bit.

Camellia-256 is good for surviving cipher war.

Regards,

---
Hironobu SUZUKI <hironobu at h2np dot net><hironobu at fsij dot org>
Hironobu SUZUKI Office, Inc. / FSIJ / WCLSCAN / OpenPKSD
Tokyo, Japan.
(Continue reading)

Rodney Thayer | 1 May 07:27 2007

Re: Camellia for OpenPGP


Hironobu SUZUKI wrote:
> 
> David,
>  
>> I notice you're just mentioning Camellia with a 256-bit key, which
>> leaves out the 128 or 192-bit keys.  I don't disagree, but I'm
>> curious if that was intentional.
> 
> Yes, intentional. I chose Camellia-256 by the point of view of
> marketing.
> 
> I found that may people had selected TLS/AES-256 ciphersuite for their
> https when they could use it under their system.

AES-256 is listed in a NIST recommendation.  It's not marketing,
it's following NIST guidance.

Not to say that's not debatable but it's not just "marketing" or
key material size obsession.

Hironobu SUZUKI | 1 May 08:37 2007
Picon

Re: Camellia for OpenPGP


Rodney, 

> AES-256 is listed in a NIST recommendation.  It's not marketing,
> it's following NIST guidance.

I'm taking about TLS/AES-256, not taking about AES-256. In TLS WG,
they tried to adapt only AES-128 and ignored AES-256. First of all,
they said "AES-256 is too much". I pushed AES-256 to TLS because it
was nice for backup cipher for AES-128 and it was only a chance to
adapt 256-bit cipher to TLS.

They didn't select AES-256 as by NIST recommendation. They didn't
select AES-192 also. They selected AES-256 as "backup for 128bit
cipher".

That is ture story.

At that time, I didn't think that many people use AES-256 because
actually, AES-128 was enough.

Today, in fact, many people use AES-256.  I learn that people tend to
use stronger cipher which is prepared for them because they want to
feel safer. That is a sort of psycological attitude, not technical
attitude.

> Not to say that's not debatable but it's not just "marketing" or key
> material size obsession.

I'm sorry that I confused you by my English capability.  
(Continue reading)

Simon Josefsson | 1 May 21:47 2007

Re: Camellia for OpenPGP


Hironobu SUZUKI <hironobu <at> h2np.net> writes:

>> But, if some disclosure document for OpenPGP is required, I ask it
>> NTT.  I estimate that it takes 2 or 3 weeks to get it.
>
> I contacted to NTT about issuing IPR for OpenPGP WG as well as IPSEC,
> S/MIME, TLS.  They accepted it and IPR for OpenPGP will be issued for
> a while.

Thanks for doing that, I believe it is the correct way to deal with the
patent under the IETF policies on this.

/Simon

Stephan Beyer | 2 May 16:52 2007
Picon
Picon

Re: fingerprint hash material in 12.2.

Hi,

> I'm only going to answer parts of your question.

I hope you read the full mail. In footnote 3 a mistake was mentioned:
>> 3. Note, that there is a further mistake: (f) doesn't even exist.
>>    The list ends with (e).

I mean, in (a.2) and (a.3) the "(b)-(f)" has to be "(b)-(e)".

[Magic Dingus Encryption]
> In such a case, when we write the RFC for MDE in OpenPGP, we would  
> need to state how you compute the fingerprint of an MDE key in that  
> RFC. That's it.

As long as no big inconsistencies occur, this is good, yes.
Imho it's easier just to say, that the size modulo 65536 is used.

Kind Regards,
Stephan Beyer

--

-- 
Stephan Beyer <s-beyer <at> gmx.net>, PGP 0x6EDDD207FCC5040F
David Shaw | 3 May 05:36 2007

Camellia draft

Here's a stab at a draft for Camellia in OpenPGP.  Some notes:

* I structured it as a personal informational submission.  I'm not
sure of the procedure (WG consensus?), but I'm sure that making this a
official standards-track submission from the WG would be preferable.

* I haven't yet sent this to the draft submission address at the IETF.
If people here more or less like what I've written, I will.

* This draft is marked as "Updates: 2440" and references 2440
incorrectly here and there.  That's just a placeholder.  I assume that
2440bis will be published with its new number fairly soon, and as soon
as that happens, I'll update the draft.

David

Network Working Group                                            D. Shaw
Internet-Draft                                               May 2, 2007
Updates: 2440 (if approved)
Intended status: Informational
Expires: November 3, 2007

                     The Camellia Cipher in OpenPGP
                     draft-shaw-openpgp-camellia-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
(Continue reading)

Florian Weimer | 3 May 14:47 2007
Picon

Re: Camellia draft


* David Shaw:

> 5.  IANA Considerations
>
>    This document requires IANA to assign an algorithm number from the
>    registry of OpenPGP Symmetric Key Algorithms that was created by
>    [RFC2440].

Has this registry been created with RFC 2440?  I can't find it on the
IANA web site.

David Shaw | 3 May 15:12 2007

Re: Camellia draft


On Thu, May 03, 2007 at 02:47:52PM +0200, Florian Weimer wrote:
> 
> * David Shaw:
> 
> > 5.  IANA Considerations
> >
> >    This document requires IANA to assign an algorithm number from the
> >    registry of OpenPGP Symmetric Key Algorithms that was created by
> >    [RFC2440].
> 
> Has this registry been created with RFC 2440?  I can't find it on the
> IANA web site.

It has not.  The registry is created with 2440bis, but since 2440bis
hasn't been published yet it does not have a number.  I'm using 2440
as a "least incorrect" placeholder until the real number is available.

David


Gmane