[Ach] meta-question on algorithm agility

René Pfeiffer lynx at luchs.at
Mon May 5 12:48:27 CEST 2014

On May 05, 2014 at 1132 +0200, Hanno Böck appeared and said:
> On Fri, 02 May 2014 23:20:11 +0100
> ianG <iang at iang.org> wrote:
> > Imagine that algorithm agility was banned.  No more choice!  How much
> > resource would this free up?
> Now I wonder: How would such a transition work without algorithm
> agility? I'm aware that algorithm agility doesn't work extremely well
> for the transition, but it works at least somewhat. We can e.g. probably
> at some point in the near future deprecate most of RC4 and SSL3 use.…

I agree. TLS isn't the only protocol where client/server choices leave room
for ambiguity. While HTTP 1.1 is getting pretty old, but HTTP client still
support HTTP 1.0. The transition would certainly be quicker, but even
modern search engine robots still opt for HTTP 1.0 given a choice. Few
people recompile their browsers to exclude HTTP 1.0 (and I don't think this
is controlled by a simple symbol definition).

If you tell developers not to re-invent crypto code and rely on
libraries/modules, then these libraries/modules should make the Right
Choice™. The Cloudflare blog post about RC4 is a good example. You tell
developers that RC4 should be avoided and need to patch OpenSSL to avoid
RC4. In an ideal world the patch would not be needed.

Once the libraries/modules improve, we are a big step ahead.


  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  http://web.luchs.at/information/blockedmail.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140505/b47ada20/attachment.sig>

More information about the Ach mailing list