IETF Logo Mail Archive

Re: [saag] A case against algorithm agility (long)

Yoav Nir <ynir.ietf@gmail.com> Mon, 05 May 2014 10:29 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C822D1A02A3 for <saag@ietfa.amsl.com>; Mon, 5 May 2014 03:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QARiO8FiGa2U for <saag@ietfa.amsl.com>; Mon, 5 May 2014 03:29:58 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 567AF1A02A5 for <saag@ietf.org>; Mon, 5 May 2014 03:29:58 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id u57so763387wes.32 for <saag@ietf.org>; Mon, 05 May 2014 03:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hYjfMXMiUVp/j2zXIz1r4Bw8H53qJ5l5+C1RSlnYjGc=; b=V02HvQBbzSZn7bW8R2CDRVlaCaaeoZBCZEy7gaUj2smSzPUNFOarB7v1G5LspJ1Ksh e3SfFffnQHqapXP5X7naJeqXubW2Q9MEG51IcxuAzdat9RqSt9CBq8GtFjogHefQF/U8 cS0I6JY9NMihyj1iwR3Ihu/ZL4ctCsMMktXrAjklx8ko61mVJnY1qS9NGXFz0NiyYdy+ JvTknaNwF6Q/rRli1zSOwbyBECt4I0J46QcBKqzkWGO7sgLYCQh5gyVoTus7OLQiZyKm OBW0a/C+yuFQd9+Rwkv9m+LVDtFeOkUybtJF1N7fd6FIfXJsuglzslswtkc4iK1FEr7n xESQ==
X-Received: by 10.180.12.206 with SMTP id a14mr15225384wic.48.1399285794481; Mon, 05 May 2014 03:29:54 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id cd10sm16891653wib.0.2014.05.05.03.29.52 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 03:29:53 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <6.2.5.6.2.20140505020707.0bd48c48@resistor.net>
Date: Mon, 5 May 2014 13:29:50 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <9CF4CFC1-736F-4D4A-843E-1C6D96598443@gmail.com>
References: <53650F27.6040607@iang.org> <5366F7E2.7000605@brainhub.org> <6.2.5.6.2.20140505020707.0bd48c48@resistor.net>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/gjvchJAFP_Ve5_Darvn8Bp7Os2o
Cc: saag@ietf.org
Subject: Re: [saag] A case against algorithm agility (long)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 10:29:59 -0000

On May 5, 2014, at 12:35 PM, S Moonesamy <sm+ietf@elandsys.com> wrote:

> Hi Andrey,
> At 19:30 04-05-2014, Andrey Jivsov wrote:
>> It is a good idea to limit the number of possible permutations of allowed algorithms.
>> 
>> However, the pros for the algorithm agility are:
>> * compliance with standards (unless all standards in the world specify the same suite)
> 
> There is an international industry standards group working on a reference architecture.  A draft which was published last month required compliance with a standard in which there is a security issue.
> 
> Is there a possibility that all standards in the world specify the same suite?  That sounds unlikely.  However, I looked at standards from two countries [1] and I found that they were referencing the same standard.

You didn’t say which countries, but if your IPsec/TLS/SSH/SMIME is carrying personal information in Russia, it is required to use GOST.  In Japan you can use Camelia, but I don’t know if that would fulfil the legal requirements in Europe.

That’s the beauty of algorithm agility. The same implementation of these protocols can be used with all of these different algorithms.

So I think Andrey meant national standards as well as IETF, IEEE, or ISO standards.

Yoav

v2.8.7 | Report a Bug | By Email