RE: AES key sizes, etc.
> Recall that last time we had a long (and futile) argument about which
> AES key sizes we need to allow and/or mandate. And notice that the exact
> same argument is also applicable to which of the two transforms (EME/LRW)
> we want to allow and/or mandate. Applying here the argument that we
> should only mandate the "strongest" solution would imply mandating only
> EME, yet the whole reason for suggesting LRW was to allow vendors to opt
> for the cheaper option.
I would like to ask some basic questions with apologies if this
has already been well discussed and I missed it.
1. Is there a document describing "LRW"? A quick scan of the reflector
left me unsure as to exactly what this refers to.
2. Is there a summary of the threat model against which the encryption
is intended to defend? My suspicion is that EME is perhaps over
designed to defend against certain attacks that are of no
practical concern. However, this is not possible to discuss
in any detail without agreeing on a threat model.
3. Has there been any discussion of the business model for
encryption? I am not clear on who would buy this and why.
My quick reaction is that "cheaper option" is an oxymoron.
Transistors are cheap. Options are expensive. This is
a bit glib, but a more thoughtful analysis would require
some basic assumptions on the business model.