getting rid of blowfishes
Simpson, Sam
s.simpson@mia.co.uk
Wed, 3 May 2000 11:32:41 +0100
> -----Original Message-----
> From: L. Sassaman [mailto:rabbi@quickie.net]
> Sent: 02 May 2000 20:58
> To: s.simpson@mia.co.uk
> Cc: gnupg-users@gnupg.org
> Subject: RE: getting rid of blowfishes
>
> On Tue, 2 May 2000, Simpson, Sam wrote:
>
> > Fortunately the GnuPG crowd appear to be more technically competent
> > (probably because it runs on Linux and users are already
> technically aware I
> > guess) so there is less of an issue with GnuPG users
> creating non-compatible
> > keys inappropriately.
>
> Yeah, but then there are all those RedHat users. <ducks>
<g>.
> > Don't tell me that finally, 3 or 4 months before AES is
> finally selected,
> > PGP will start implementing Twofish which most likely will
> not be selected
> > as the final algorithm?
>
> I said nothing to that extent. But, just for the sake of
> argument (note
> that none of this should be interpretted as anything more
> than theory),
> the working group has already assigned 256 bit Twofish its
> own packet ID,
> so that it could be implemented in addition to AES.
Yes, I noted that.
> > I personally disagreed with the implementation of Twofish
> anyway (block
> > cipher strength is certainly not the weakest part of
> OpenPGP...), but I
> > think it's *extremely* poor timing to introduce it this
> late in the day
> > prior to the selection of AES.
>
> Again, this has nothing to do with AES.
ok, well why do OpenPGP members think it's a good idea to implement (or
include as an algorithm identifier...) Twofish? I had quite a debate on the
mailing list and nobody had a good explanation why it has been included
above other (seemingly more secure...) algorithms.
> > You will then no doubt have the newbies asking "which is
> best, Twofish or
> > AES?" where the answer should be damn obvious.
>
> Agreed.
>
> > To quote Schneier (Oct '99) "Twofish is really too new to
> be used." - and
> > you guys are fielding it in a production system? ;)
>
> I never said that. However, you're glossing over the fact
> that GnuPG uses it...
I'm certainly not. I've expressed my opinions on GnuPG implementing the
algorithm too (for example: S.Simpson, "[PGP]: PGP / AES / Twofish (Long)",
PGP-Users mailing list, 8th Mar 1999).
Regards,
Sam Simpson
IT Operations Manager
MIA Ltd