[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]
Tobias Pape
Das.Linux at gmx.de
Thu May 15 21:58:16 CEST 2014
In the light of this, I would like to humbly propose
Cipherstring B vs B+
or
Cipherstring B vs C
or
Cipherstring B.1 vs B.2
with the first being the one not using AES256 and
the latter being the one not using AES128
That way we would have 3 ways of backwards compatibility.
Best
-tobias
On 15.05.2014, at 21:54, Aaron Zauner <azet at azet.org> wrote:
>
>
> David Durvaux wrote:
>> Mmmm...
>>
>> Why getting rid of longer keys?? Probably the people who should take
>> care of using AES128 instead of AES256 shouldn't stick to our document only.
>>
>> On the other side, AES256 could be consider to be at least as secure as
>> AES128. I don't see any reason to exclude it because it's safer...
>>
>> For me we HAVE to exclude unsecure algorithm but we SHOULD keep
>> variation of algorithm that are at least as secure as the minimal
>> version we keep.
>>
>> On top of that, it's also possible that some people exclude AES128 for
>> some reasons and offering a longer set of algorithm COULD in some case
>> increase the compatibility. That's probably not frequent but who knows...
>>
>> So in short, I would keep AES256 and add AES196 ;).
>>
> I don't see AES-192 in there:
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml :)
>
> As I said, cryptography libraries that do support AES will support 128
> and 256 (I know of no exception) - as such 128 will never be chosen,
> it'll reduce the ridiculous length of the cipherstring a bit - which is
> good since some daemons have problems with cipherstrings that long (e.g.
> OpenVPN).
>
> That said - it was just a note that we may want to discuss, the
> important part is getting the cipherstring right to work on
> OpenSSL1.0.0+ and 0.9.8.
>
> Aaron
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140515/d716122f/attachment.sig>
More information about the Ach
mailing list