[Ach] [cryptography] Better Crypto

Aaron Zauner azet at azet.org
Tue Jan 7 14:16:10 CET 2014 

Hi, *

Axel Hübl wrote:
> I could not agree more.
>
> Crazy C get's totally against the scope of this document: providing
> _relyable_ crypto.
>
> If someone reads that document and goes for "see, they still list it as
> compatible, provide it!" the document lost it's main point.
I agree too. Sorry. But that's really not our issue to tackle. If we
want to provide a guide for _better_crypto_ we'll need to drop some
stuff that eventually breaks compatibility. I'm totally for discussing
ECDHE on top of DHE (although curve options as currently implemented in
libraries just suck) and SRP (which is a very good scheme in my opinion)
- but discussing EOL ciphers like 3DES is somewhat out of scope. After
all we want to prompt change in peoples mindset about legacy
installations, their security and what should be regarded as safe for
customers and users. Nobody has to follow this guide to the letter.

Aaron






On Tue, Jan 7, 2014 at 1:38 PM, Axel Hübl <axel.huebl at web.de> wrote:

> I could not agree more.
>
> Crazy C get's totally against the scope of this document: providing
> _relyable_ crypto.
>
> If someone reads that document and goes for "see, they still list it as
> compatible, provide it!" the document lost it's main point.
>
> Cheers,
> Axel
>
> On 07.01.2014 13:08, Pepi Zawodsky wrote:
> > On 07.01.2014, at 11:55, ianG <iang at iang.org> wrote:
> >> Suite C:  maximum compatibility
> >
> > This is what every other guide on the internet already does. We'll
> _never_ get to improve the current state if we keep supporting fubared
> stuff. If we want the broadest compatibility let's switch back to
> plaintext. Works fine with my NCSA Mosaic. :-)
> >
> > In my opinion Sweet A is where we should be. Yes, this is a
> forward-looking setting. It sill shall point the direction everyone should
> be headed for. Bravo B is still considered secure as to our best of
> knowledge today™ which still supports a wide array of deployed software
> without unsafe compromises on the security aspect.
> >
> > I oppose the introduction of a Crazy C cipher that supports every client
> as this scenario would contradict the goal of the project as I see it.
> bettercompatibility.org is still available. :-)
> >
> > Best regards
> > Pepi
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> >
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140107/d607764e/attachment.html>

More information about the Ach mailing list