On 6/26/2014 11:26 AM, Daniel Kahn Gillmor wrote: > The pushback of "don't bother using stronger crypto, something else > will be your problem" seems silly to me. It's like saying "don't > bother fighting sexism, people are going hungry!" We can (and > should) push on all of these fronts concurrently.
I've been writing and rewriting this several times now: I'm not sure if I've found diplomacy here, but there comes a point where you have to say "screw it" and hit send. Four of the best guiding principles I've found are: 1. Design the system as if the bad guys control everything that is not an immediate game-over. 2. Assume the bad guys will degrade your system in the most damaging ways possible (subject only to #1). 3. Your level of protection is defined by your resistance to the enemy's worst skulduggery, not your performance in the absence of skulduggery. 4. Just because you define something to be an immediate game-over doesn't mean the enemy can't do it -- it just means you can't defend against it and for that reason aren't covering it. One of the justifications you give for your faith in increased key lengths is "[RFC4880] also encourages people to advertise preferences for stronger ciphers, so correspondents using tools which respect those advertised preferences (like GnuPG) *will* get the increase in strength described." But see #2 above, though. The bad guys will degrade your system in the most damaging ways possible, subject to the assumptions we make in #1. Since it's possible to degrade the cipher preference to 3DES, we need to assume that's exactly what will happen. (Your next objection is "How?". That's a non-sequitur right now. I believe serious adversaries can do this because (a) there's no mechanism to prevent them from doing it, and (b) system degradation is such a bog-standard attack vector that I can't believe they haven't already thought up ways. Whether *I* have thought up ways is irrelevant.) People should feel free to use cipher preferences, but they shouldn't have any expectation that it matters a damn. The most you can guarantee out of it is 3DES with 112 bits of keyspace: everything beyond that is a gift from your enemy. If your security model depends on using Camellia256, then you need to use something other than OpenPGP, because #3. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users