Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Stephen Farrell <> Tue, 25 August 2015 16:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EDCEB1A00A8 for <>; Tue, 25 Aug 2015 09:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SraJdKM5g1FE for <>; Tue, 25 Aug 2015 09:21:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A4EC21A00A0 for <>; Tue, 25 Aug 2015 09:21:48 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7AC8ABE64 for <>; Tue, 25 Aug 2015 17:21:47 +0100 (IST)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jHET-BWXqAaU for <>; Tue, 25 Aug 2015 17:21:47 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 4CA3ABE4D for <>; Tue, 25 Aug 2015 17:21:47 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1440519707; bh=AAjIDi5Vvil286zIwqEaaz4dEpYxToDEMchegiOG0ik=; h=Date:From:To:Subject:References:In-Reply-To:From; b=ILyUATf5xWOE68oDhxZkhRqr5R0NfvKc+FWPJW5xYZ5pVIJK98bBWsZVIQuRdwMkg ZafPEG4xLRew785tiYUpAKuDgY5Y4lWDkLOFuzr16aep78YaCKZoqZzf/fzpPeJ3rY r4c5x1tmH4DYNWNU8psvvI8cF6H2uWKvvzPIfiS4=
Message-ID: <>
Date: Tue, 25 Aug 2015 17:21:46 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 16:21:50 -0000


(Here we are back at this argument again:-)

On 25/08/15 17:06, Viktor Dukhovni wrote:
> In any case, whether it is RC4 now, or some other deprecated
> ciphersuite in the futre, with opportunistic security one needs to
> pay more attention to what interoperates than what is unequivocally
> strong.  The goal is as much security as can be realistically had,
> not "all or nothing".  I like to make an analogy with vaccination,
> we're protecting the infrastructure as a whole, rather guaranteed
> security for a particular flow.

Do you agree though that there are at least two points in time
involved when considering weakened or suspect ciphers?

There is the time you're discussing of when the bad algorithm
can be turned off without damaging interop of ciphertext form

But there is also the time after which one considers that all
such ciphertext will in a short while be almost the same as
plaintext for a capable attacker.

And the latter can happen before the former.

My argument (for which I still think I'm in the rough) is that
when we get to that 2nd point in time, one ought no longer use
a cipher even in OS mode.

Yes, that's a trade off, as are all OS arguments. For me the
continued use of a cipher that is that weakened is worse overall,
as that cipher is liable to be used in more environments that just
one. And yes, that does mean that some packets will be sent in
clear that would otherwise not be, but it also means that some
software will be updated sooner and hence other packets will be
sent as better ciphertext.

(And btw: In the specific case of RC4 the IETF does have consensus
to deprecate that already [1], even if the mail community let that
go by while pretending it wasn't happening:-)