Log in

Fri, May. 20th, 2011, 03:14 pm
lensassaman: I almost entirely agree; some nits:

I usually recommend e=2^16-1, but as you pointed out, you're really saying "don't use RSA, use Rabin-Williams."

Ian brought up some of the issues with Authenticate-then-Encrypt; frankly, I'm a fan of the way we handle it in RFC 4880, with the user-verifiable authentication, then encryption, then message authentication.

So, it looks like the only remaining thing I have an issue with is your comments on parameterization; I strongly argue that one should design one's protocol in a parameterized fashion, but provide only one option per needed component. E.g., you need a hash function; fine; design your protocol such that it supports multiple hash functions, but only specify SHA-2. By building parameterization into the protocol, transitioning to SHA-3 becomes a much less painful process.

I say this in part because of the awful experience of transitioning to 160-bit hashes after assuming MD5 in a non-parameterized fashion. Parameterization does not automatically imply multiple choices.

No HTML allowed in subject


Notice! This user has turned on the option that logs IP addresses of anonymous posters. 

(will be screened)