[Ach] meta-question on algorithm agility

ianG iang at iang.org
Mon May 5 13:29:14 CEST 2014

On 5/05/2014 11:48 am, René Pfeiffer wrote:
> On May 05, 2014 at 1132 +0200, Hanno Böck appeared and said:
>> On Fri, 02 May 2014 23:20:11 +0100
>> ianG <iang at iang.org> wrote:
>>> Imagine that algorithm agility was banned.  No more choice!  How much
>>> resource would this free up?
>> Now I wonder: How would such a transition work without algorithm
>> agility? I'm aware that algorithm agility doesn't work extremely well
>> for the transition, but it works at least somewhat. We can e.g. probably
>> at some point in the near future deprecate most of RC4 and SSL3 use.…
> I agree. TLS isn't the only protocol where client/server choices leave room
> for ambiguity. While HTTP 1.1 is getting pretty old, but HTTP client still
> support HTTP 1.0. The transition would certainly be quicker, but even
> modern search engine robots still opt for HTTP 1.0 given a choice. Few
> people recompile their browsers to exclude HTTP 1.0 (and I don't think this
> is controlled by a simple symbol definition).

HTTP 1.0 isn't dangerous.  It just lacks features for a liver web.

> If you tell developers not to re-invent crypto code and rely on
> libraries/modules, then these libraries/modules should make the Right
> Choice™. The Cloudflare blog post about RC4 is a good example. You tell
> developers that RC4 should be avoided and need to patch OpenSSL to avoid
> RC4. In an ideal world the patch would not be needed.
> Once the libraries/modules improve, we are a big step ahead.

Yep, the distro people are in control.  They just need a simpler roadmap
that everyone can share.


More information about the Ach mailing list