Follow

Do you have any idea why we are still using GPG with RSA cryptography when elliptic curve cryptography (ECC) has been available since 2015-ish?*

I get we probably were very afraid of compatibility with old systems and may have issues, but I'm pretty sure we are mostly OK.

* lists.gnupg.org/pipermail/gnup

@esparta

From searching around, i can speculate:

- Doubt around backdoors
- Some implementation were not secure
- Patents

@benoitj I did research and just found poor argument all based on beta status. But that's so 2016.
in my limited experience I can tell is close to imposible to implement ECC, be correct and also be insecure and/or backdoorr-able. Some algo has been reported to be intentionally weakened by NSA, but no ECC.
- Patents & ECC? What do you mean? Where? The ECC reference implementation has been public domain since the beginning:
cr.yp.to/ecdh.html

@esparta patents around ecc, make it difficult to implement. Like RSA when pgp got created.

en.m.wikipedia.org/wiki/ECC_pa

@esparta Similar to RSA but probably different. RSA itself was patented, ECC is not, but some implementations are.

In the end, lots of uncertainty. Maybe not true anymore, but I'm no expert :P

@benoitj gotcha, I get that part now. As any other public crypto algorithms will be always susceptible to be patented but for specific uses, not exactly for the algo itself, for what gnupg is about it seems freely to implement for encryption and signing. Also, I'm not a lawyer nor expert. That's why I ask.

As you mention, this is different than RSA case, I frankly have my doubts it's the case.

I'm more inclined it's the same case as Openssh + RSA: ECC is there but is not the default.

@esparta The answer is corporate folk who have built large environments only upgrade when their vendors stop supporting an older design... or when their marketing team gets the ear of the CEO and complains about poor website analytics.

@greypilgrim is it?
gnupg is usually used by individuals to encrypt and sign communications, not as many enterprise or corporation use it as a norm. I mean, is way different than what sshd using RSA for authentication which is highly used by corps.
Besides big orgs like debian I'm not aware of places where is broadly used.

@esparta Ah. I guess I was not speaking to the context of gnupg.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.