Re: [Cfrg] A little room for AES-192 in TLS?

Yoav Nir <> Tue, 17 January 2017 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51613129546 for <>; Tue, 17 Jan 2017 07:51:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XbelYmxlSAEi for <>; Tue, 17 Jan 2017 07:51:09 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0BFF129541 for <>; Tue, 17 Jan 2017 07:51:08 -0800 (PST)
Received: by with SMTP id c85so205797089wmi.1 for <>; Tue, 17 Jan 2017 07:51:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5ei+QcTMx2MzV+qxwfjKpCfWrohrz5vVneJu0dCxCEk=; b=PQ5ltR6SLR+z/h2y2aH3L8lZWR6hrm+BLkLApTopVUodqcwr4R/CHl+Nu4OCoQ+UNk SSk7mQVAgPgCzn5hWM+9bUbYZ1pdTrY7kwlwsfGviNf1sJU6i80CX3l4F/garkTbFoHl metx+jPdpwAxomxp/torgn3dob4wdgsq6nJbMQheFuqvLVMCch65dg6QcKIetG3BcxP+ 0z0m/E3iwIEdK4lzZlczah4KHlxSkTEh1Io5VsH6u8POMCAs7+s9EA2cJfbJrtL9zoIn yoWVJBThRjVWn4aFJleAS746qX4carZ5JnFCEm3Yh3wM4Zqs8gSW+hx9FPonbmG3XD01 cD+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5ei+QcTMx2MzV+qxwfjKpCfWrohrz5vVneJu0dCxCEk=; b=N2BYqA52a8Kl0iU2SEwZVGT62IMiLHDBrvjeS17UcYIgtK1CZHGP6m/cWbJDZ8wygx b2cp3NVET2ric1EiOlVcZ9uMRdjBTyo15m3OKDXAxN29vo6vz0FftilgJNy6EOTwOmfY ZeWbmBD4MPkuniRns1rQlVzizEyKO1lsrhM95fhyL9+Q6X7pK1p2F+8GY2mGuox2Lj1Z oPm67fFo/jV5sgEJkoiI+cXd4CUwQBmL8t8z9856nwZZ+IZpJvUwbYCdU6PUNqkwvThm c8ZzTfKA4NHnKYLSo98cncCHBvlZZGyqHf6ylVH328Fhu01K60+rgV16Jxq0i4DV/zM3 bA5Q==
X-Gm-Message-State: AIkVDXLt9ZwNVZ5lZFiCZD4DgOptlTMB7Veo5jZqrSObT8Fj3KNBnyStOVbgXlmcCClDEQ==
X-Received: by with SMTP id m130mr16055932wmd.72.1484668267142; Tue, 17 Jan 2017 07:51:07 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id o132sm37728698wmo.17.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 07:51:06 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Tue, 17 Jan 2017 17:51:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <1484577818.5104.1.camel@quad> <> <> <> <> <1484593651.5104.49.camel@quad> <> <1484662079.5135.49.camel@quad> <>
To: Rich Salz <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Cc: "" <>, Leonard den Ottolander <>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jan 2017 15:51:10 -0000

On 17 Jan 2017, at 16:48, Salz, Rich <> wrote:

>> acknowledge adding ciphers is not a zero effort, but to describe it as complex
>> is inaccurate.
> We disagree.
> You can write up an individual RFC that defines AES192 ciphers for use in TLS, and ask IANA to register them, and then "let the market decide."  I suggest you focus on a couple, and not try for full parity by defining a couple of dozen, as the registrar is likely to reject it.
> Or you can keep posting here (and as previously pointed out, more appropriately the TLS list) and see if you can convince anyone.

An individual RFC (or even an RFC from the TLS WG) is no substitute for convincing people.  There are over 8000 RFCs. None of us implement all of them.

So an AES-192 RFC won’t cause universal support for these ciphersuites any more that RFC 6209 caused universal support for ARIA.

He can even donate code to OpenSSL (AES-192 already exists, but you need the ciphersuites) but he still need to convince people (you?) to (i) accept it and (ii) make it part of the default or “strong” or whatever the recommended configuration is called these days.

And he’ll need to convince browser maintainers to add it to the browsers. And then there’s the other dozens of implementations.

If you want a technology implemented and deployed, you still need to convince a lot of people. RFCs are (relatively) easy.