[Ach] NIST review of cryptographic standards

L. Aaron Kaplan kaplan at cert.at
Thu Nov 7 00:07:11 CET 2013

On Nov 7, 2013, at 12:02 AM, Maarten Van Horenbeeck <maarten.vhb at gmail.com> wrote:

> Hi Thomas,
> You are right. Today it would be difficult to add them to a default configuration, as the support simply is not there on the server or client side, but in the near future these will make good alternatives for things like AES-GCM.
> That actually brings up a more process comment- I think it pays to think about setting expectations with consumers of the configurations that these configurations needs to be considered agile,

> and that the recommended configurations will change over time and will need to be updated. Perhaps even test and flag what the most common break scenarios are between updates (e.g. error message, hanging connection, ...), so administrators do not just roll back completely if permitting a single weaker cipher would address the break scenario.
Very good point. 
Indeed, we already have that very same issue right now (even before new ciphers and AES-GCM):
there are still a lot of XP boxes out there which will break if we do not give them RC4 and similar known-weak settings.

So, one proposal is to have a compatibility-matrix table in the appendix and a process for keeping the document up to date on a periodic basis.

We already had some ideas (on Monday) on scripting settings and then let sslabs.com evaluate the settings and spidering its results. But there must be a more efficient way of automatically testing compatibility issues.


// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131107/21cf24b5/attachment.sig>

More information about the Ach mailing list