Re: [saag] A case against algorithm agility (long)
ianG <iang@iang.org> Mon, 05 May 2014 11:13 UTC
Return-Path: <iang@iang.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 453A81A02AF
for <saag@ietfa.amsl.com>; Mon, 5 May 2014 04:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AJ1DDD8oHC7n for <saag@ietfa.amsl.com>;
Mon, 5 May 2014 04:13:03 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166])
by ietfa.amsl.com (Postfix) with ESMTP id B1C951A029E
for <saag@ietf.org>; Mon, 5 May 2014 04:13:03 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187])
by virulha.pair.com (Postfix) with ESMTPSA id 00C5A6D5FA;
Mon, 5 May 2014 07:12:55 -0400 (EDT)
Message-ID: <53677237.8010908@iang.org>
Date: Mon, 05 May 2014 12:12:55 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Andrey Jivsov <openpgp@brainhub.org>, saag@ietf.org
References: <53650F27.6040607@iang.org> <5366F7E2.7000605@brainhub.org>
In-Reply-To: <5366F7E2.7000605@brainhub.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/91UO9xqv5B81WoW2_hPCYkCcy6U
Subject: Re: [saag] A case against algorithm agility (long)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 11:13:05 -0000
On 5/05/2014 03:30 am, Andrey Jivsov wrote: > On 05/03/2014 11:45 AM, ianG wrote: >> I've jotted down some notes on the case against agility, as mooted. >> Sorry, long. >> >> It should be called "algorithm agility considered harmful" but I've >> found that some people are irrationally offended by words. Offense >> doesn't worry me, but distraction helps nobody. >> > ... > > It is a good idea to limit the number of possible permutations of > allowed algorithms. :) > However, the pros for the algorithm agility are: > * compliance with standards (unless all standards in the world specify > the same suite) Why is this a pro? What conceivable benefit is there to users in adopting others' standards, when they already have their own? We're talking about a single protocol that communicates with its own agents only; it's TLS versus SSH, they don't ever talk to each other, it's not like Esperanto versus German. Here you are in a standards setting, which means you set standards. By outsourcing the setting of standards, that means you are not doing the job. I can see the argument that you simply want to use other peoples' work, but I can't see why you would want to save on work by re-use, and duplicate with your own as well. Makes no sense to me. > * upgrade to new algorithms Yes, just to set the context, there are three different mechanisms available. Algorithm agility is (to me) the substitution of new algorithms within a protocol connection context. There is also suite substitution which sets the whole stack. Then there is also version upgrade which changes the whole protocol. Latter is TLS1.1 => TLS1.2. > (the time-line of the "old" and the "new" > algorithms typically overlap) (a result, not an objective) > * easier system maintenance (it's easier to add only a new algorithm to > an old product that is only maintained as opposed to actively developed) Only if you ignore all the other things going on. > * there might be no single algorithm that is perfect for everybody The combination of your points 1 & 4 means that every algorithm that has any single benefit has to be supported by everyone, taken to the extreme. Again, you have to look hard and deep: why are you opening the door to supporting more than one? Why are you opening the door to many many algorithms? Where's the benefit for the user? iang
- [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) Benjamin Kaduk
- Re: [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) Yoav Nir
- Re: [saag] A case against algorithm agility (long) Andrey Jivsov
- Re: [saag] A case against algorithm agility (long) S Moonesamy
- Re: [saag] A case against algorithm agility (long) Yoav Nir
- Re: [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) S Moonesamy
- Re: [saag] A case against algorithm agility (long) Nico Williams
- Re: [saag] A case against algorithm agility (long) Paul Lambert
- Re: [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) Paterson, Kenny
- Re: [saag] A case against algorithm agility (long) Nico Williams
- Re: [saag] A case against algorithm agility (long) Nico Williams
- Re: [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) ianG
- Re: [saag] A case against algorithm agility (long) Mouse
- Re: [saag] A case against algorithm agility (long) Nico Williams