[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] Re: [saag] Algorithm upgrades

To: "'D. J. Bernstein'" <djb at cr.yp.to>, saag at mit.edu, cfrg at ietf.org
Subject: RE: [Cfrg] Re: [saag] Algorithm upgrades
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Sun, 7 Nov 2004 14:25:22 -0800
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org

I agree on the sentiment, disagree on the method.

There are three viable ways to signal the change:

1) Use a new port
2) Define a DNS RR to describe the configuration of the protocol
3) Use a prefixed DNS TXT record to describe the configuration

(1) and (2) suffer from the limited ports problem, only 1024 well known
ports, 65K TOTAL, same for RRs. The use of new RRs also has the severe
disadvantage of not working for about 50% of the deployed infrastructure
(and don't believe the fariy stories that claim otherwise, it ain't true
unless your definition of 'working' does not require production strength
code).

_telnet._security.example.com TXT "encrypt=AES,DES; auth=RSA288382811k=="

Deployable, viable, simple, workable.

The Internet needs a policy layer, the people who say that is too hard
should be told to go home, shut up and not bother the grownups who do know
how to make it work.

	Phill

 

> -----Original Message-----
> From: cfrg-bounces at ietf.org [mailto:cfrg-bounces at ietf.org] On 
> Behalf Of D. J. Bernstein
> Sent: Sunday, November 07, 2004 3:12 PM
> To: saag at mit.edu; cfrg at ietf.org
> Subject: Re: [Cfrg] Re: [saag] Algorithm upgrades
> 
> 
> Bill Sommerfeld writes:
> > there are only 16 bits of well-known port, and you 
> generally need much 
> > more than one bit to encode sufficiently rich combinations of 
> > algorithm parameters
> 
> Sufficient for what, exactly?
> 
> A moment ago we were talking about the upgrade from DES to 
> AES. That's a one-bit switch, and obviously an important one. 
> AES is faster and more secure; DES is on the way out, and AES 
> is on the way in.
> 
> Now you seem to have in mind a much more complicated set of 
> options, and an unstated reason that it's important to have 
> all those options (but no others!). What's the reason? How do 
> you get from that reason to the exact list of options that 
> you have in mind?
> 
> Where can I find the archived analysis of how the exact list 
> of options was created? Are you sure that the options weren't 
> simply accreted by the typical ``Let's support every 
> conceivable option we can document'' committee-think, without 
> regard for actual costs and benefits?
> 
> ---D. J. Bernstein, Associate Professor, Department of 
> Mathematics, Statistics, and Computer Science, University of 
> Illinois at Chicago
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- RE: [Cfrg] Re: [saag] Algorithm upgrades
  - From: Gary E. Miller
- Re: [Cfrg] Re: [saag] Algorithm upgrades
  - From: Steven M. Bellovin
- Re: [Cfrg] Re: [saag] Algorithm upgrades
  - From: Jeff Williams

Prev by Date: Re: [Cfrg] Re: [saag] Algorithm upgrades
Next by Date: RE: [Cfrg] Re: [saag] Algorithm upgrades
Previous by thread: RE: [Cfrg] Re: [saag] Algorithm upgrades
Next by thread: Re: [Cfrg] Re: [saag] Algorithm upgrades
Index(es):
- Date
- Thread