[Ach] Camellia

Aaron Zauner azet at azet.org
Sun Jan 5 23:10:34 CET 2014

Hi Jeff,

On 05 Jan 2014, at 22:40, Jeff Hodges <jeff at somethingsimilar.com> wrote:

> Camellia and AES are roughly equivalent in strength and equivalent in difficulty to make constant time[1]. However, AES has had significant investment to build constant-time implementations culminating with AES-NI, now a standard feature on server CPUs. Camellia has not had such far-reaching work done for its implementations. Finally, most major web services do not prefer Camellia, and the number of uses of it is growing smaller[2].
> Because of that, putting Camellia in the cipher string is bad for interop, and bad for security, especially as a first preference. Removing it completely, since there are other cipher suites of equivalent strength and better support, would be best.

I agree. Firefox seems to be the last bastion of Camellia in the wild. A couple of days ago Mozilla Crypto Security Team also voiced their concerns about the issue with the remark that they’ll probably remove Camellia pretty soon themselves. Which should prompt us to remove Camellia as well.

Since the decision is not mine alone to make we’ll discuss this on this ML and regular meetings (next scheduled Tue 7th of Jan 1900 CET).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140105/bd627c8b/attachment.sig>

More information about the Ach mailing list