[Ach] meta-question on algorithm agility
iang at iang.org
Sat May 3 15:01:36 CEST 2014
On 3/05/2014 13:29 pm, René Pfeiffer wrote:
> On May 02, 2014 at 2320 +0100, ianG appeared and said:
>> Question for the assembled, on the experiences of the group so far:
>> What proportion of effort has been spent on the question of
>> configuration strings that set the algorithm possibilities? E.g., the
>> famous OpenSSL blah:blah:blah string.
>> Imagine that algorithm agility was banned. No more choice! How much
>> resource would this free up?
> I am not sure if this is buying you anything. You could reduce all choices
> and reduce the whole IT landscape to a couple of building blocks with no
> choices. This frees up a lot of resources until this infrastructure suffers
> from a critical bug.
> Besides you have to look for other choices anyway since algorithms age. AES
> may be around for a while and your Best Choice™ right now, but people still
> invent new algorithms. I don't think this is a waste of resources.
Yes, this is the context in which the question is being asked. This
point is now being debated inside IETF WGs looking at the issue.
However, the debate is better informed if we can actually measure the
benefits and costs. One cost is the amount of wheelspinning caused by
the solution -- algorithmic agility causes us to have to agile those
algorithms, so to speak.
Hence, one measure is how much time this group spends on the question.
Just one data point, it's not really a proof either way, but it's
More information about the Ach