Re: [secdir] secdir review draft-iab-crypto-alg-agility-06 (almost done)

"Paul Hoffman" <> Tue, 04 August 2015 15:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C7FB41A1AB2; Tue, 4 Aug 2015 08:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KhIBbtnY0-bJ; Tue, 4 Aug 2015 08:40:24 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0BA661A1AA6; Tue, 4 Aug 2015 08:40:24 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.1/8.14.9) with ESMTPSA id t74FeGsA007696 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Aug 2015 08:40:17 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: "Paul Hoffman" <>
To: "Leif Johansson" <>
Date: Tue, 04 Aug 2015 08:40:16 -0700
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <>
Cc: IESG <>, "" <>, "" <>
Subject: Re: [secdir] secdir review draft-iab-crypto-alg-agility-06 (almost done)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Aug 2015 15:40:24 -0000

On 4 Aug 2015, at 5:29, Leif Johansson wrote:

> To some extent I think you are right but I'm not sure it is possible 
> to
> do much better in a general document. I think you are looking for a
> "UTA-style BCP" with general applicability to algorithm selection and
> agility and I'm not sure that is possible.

It may not be possible, but that's what this draft is trying to do (but, 
as Hannes points out, without saying so). That is, without a tight 
scoping of who the document is meant for, it naturally has been pulled 
in different directions for different audiences without being explicit. 
UTA had the same problem with it's initial documents, and that is why it 
took so long to finish.

It would be reasonable to publish this document as-is, but it would be 
more reasonable to do a major rewrite with a much narrower focus now 
that we know how deep the disagreements in different parts of the 
community are about where to apply algorithm agility.

--Paul Hoffman