[Ach] General agreement on cipher and hash strength and choice

[ianG]

On 25/11/13 18:27 PM, Daniel.Kovacic at a-trust.at wrote:

> Moreover: think about ephemeral key exchanges
>
> SHA:
> What does it mean to be more secure (under which conditions) or acceptable?
> In the paper, most of the time we are discussing sha in an hmac
> construction. There sha or md5 works as a reduction algorithm and the whole
> construction is not flawed by possible collisions like the pure hash itself.
> In fact: Even HMAC-MD5 might be sufficient while md5 is clearly outdated.


Right, exactly.

But.  Problem is that the "experts" have gone on a jihad against MD5 and 
SHA1, without understanding what they are talking about.  This is based 
on herd behaviour, following NIST and its recommendations (which are 
specifically mandated for USG and no-one else, go figure...)

Consequence of this is that developers everywhere are trying to get rid 
of MD5 and SHA1 from code, protocols, etc.  MD5 is evil!  You are bad to 
even mention the word!

There's a bandwagon.  Not a lot point in trying to push it backwards, 
spend your energy on better things.  I'm planning on Poly1305 for future 
hmac needs.


> Long term keys like root certificates:
> I think this is a bit enthusiastic, regarding the actual Mozilla and
> Microsoft root stores (last time I browsed through we were one of very few
> cas providing that)
> Little note for Austria: In Austria it isn’t even allowed to provide an ca
> certificate which is valid more than 5 years.


Yup.  Which is why I say, use 2048.  And leave it at that.


> Remarks on ECC:


Yeah.  Don't change for the moment, let's get some safe.cr.yp.to curves 
in place.  Then change.



iang