[Ach] General agreement on cipher and hash strength and choice

Aaron Zauner azet at azet.org
Sun Nov 24 21:12:02 CET 2013

I agree and that is exactly what I as well already remarked.

There is no reason to exclude AES128 - actually there is less cryptanalysis known on the 128bit version as opposed to the 256bit version.
SHA256 && 512 both look fine to me. As for RSA: When using GPG we could include 4096 bits w/o a problem, as far as I can tell. For webservers 4096 bits seems a bit much - at least for large-traffic or high-bandwidth sites (see previous mails about the speed).


On 24 Nov 2013, at 18:21, Daniel.Kovacic at a-trust.at wrote:

> Hi,
> I am currently revicing the gpg (cipher suite) section and I noticed that we are very inconsistent in ordering ciphers and hashes in our configs. Especially AES{128|256}, SHA{256|512} etc attracted me. To be precise we have no consensus whether we prefer aes128 over aes256, sha256 over sha512 and so on. Same with RSA key lenght. I personally dont like that and I think we should get to an agreement here. I prefer recommending the most compatible, wide spread, fastest etc algorithm we agree on being absolutely recommendable at the point of writing. So I would always list aes128 before aes256 and sha256 before sha512 per default. I also think that just preferring the bigger numbers for the sake of being bigger looks a bit dubious and one who reads rsa 4096 might ask 'why?'
> best regards
> Daniel
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131124/7f9693b7/attachment.sig>

More information about the Ach mailing list