[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]
Aaron Zauner
azet at azet.org
Thu May 15 21:54:49 CEST 2014
David Durvaux wrote:
> Mmmm...
>
> Why getting rid of longer keys?? Probably the people who should take
> care of using AES128 instead of AES256 shouldn't stick to our document only.
>
> On the other side, AES256 could be consider to be at least as secure as
> AES128. I don't see any reason to exclude it because it's safer...
>
> For me we HAVE to exclude unsecure algorithm but we SHOULD keep
> variation of algorithm that are at least as secure as the minimal
> version we keep.
>
> On top of that, it's also possible that some people exclude AES128 for
> some reasons and offering a longer set of algorithm COULD in some case
> increase the compatibility. That's probably not frequent but who knows...
>
> So in short, I would keep AES256 and add AES196 ;).
>
I don't see AES-192 in there:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml :)
As I said, cryptography libraries that do support AES will support 128
and 256 (I know of no exception) - as such 128 will never be chosen,
it'll reduce the ridiculous length of the cipherstring a bit - which is
good since some daemons have problems with cipherstrings that long (e.g.
OpenVPN).
That said - it was just a note that we may want to discuss, the
important part is getting the cipherstring right to work on
OpenSSL1.0.0+ and 0.9.8.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140515/54bd6675/attachment.sig>
More information about the Ach
mailing list