[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]

Tobias Pape Das.Linux at gmx.de
Thu May 15 21:58:16 CEST 2014

In the light of this, I would like to humbly propose

Cipherstring B vs B+
Cipherstring B vs C
Cipherstring B.1 vs B.2

with the first being the one not using AES256 and
the latter being the one not using AES128

That way we would have 3 ways of backwards compatibility.


On 15.05.2014, at 21:54, Aaron Zauner <azet at azet.org> wrote:

> David Durvaux wrote:
>> Mmmm...
>> Why getting rid of longer keys?? Probably the people who should take
>> care of using AES128 instead of AES256 shouldn't stick to our document only.
>> On the other side, AES256 could be consider to be at least as secure as
>> AES128.  I don't see any reason to exclude it because it's safer...  
>> For me we HAVE to exclude unsecure algorithm but we SHOULD keep
>> variation of algorithm that are at least as secure as the minimal
>> version we keep.
>> On top of that, it's also possible that some people exclude AES128 for
>> some reasons and offering a longer set of algorithm COULD in some case
>> increase the compatibility.  That's probably not frequent but who knows...
>> So in short, I would keep AES256 and add AES196 ;).
> I don't see AES-192 in there:
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml :)
> As I said, cryptography libraries that do support AES will support 128
> and 256 (I know of no exception) - as such 128 will never be chosen,
> it'll reduce the ridiculous length of the cipherstring a bit - which is
> good since some daemons have problems with cipherstrings that long (e.g.
> OpenVPN).
> That said - it was just a note that we may want to discuss, the
> important part is getting the cipherstring right to work on
> OpenSSL1.0.0+ and 0.9.8.
> Aaron
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140515/d716122f/attachment.sig>

More information about the Ach mailing list