Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01

[David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>]

Watson Ladd <watsonbladd@gmail.com> writes:

>> Such a linear ordering would be very hard to achieve, given that
>> different parts of the world trust/mistrust different crypto algorithms.
>> Even among cipher suites discussed so far, how would we order
>> P-256/AES-128 vs. Curve25519/Chacha/Poly1305.  The former set is better
>> is the sense that it is more established.  The latter is better in the
>> sense that it is newer, potentially more efficient, and (for the
>> paranoid) less tainted by government involvement.  I think realistically
>> the preference has to be left to the individual host configuration
>> rather than the IETF.
>
> Let's consider what this actually means. Hosts that implement 1 of two
> options because they don't trust the other one to provide adequate
> security will not talk to the ones that make the wrong choice. Hosts
> that implement both would be fine picking just one, in fact prefer it
> as it reduces the amount of work they have to do.
>
> But by having ranking preferences, we're in fact saying "you would be
> fine with picking one for improved interop, but we're going to force
> you to make a choice that complicates your implementation, because we
> assume you are an expert in cryptanalysis research and we are not".
> Picking one suite that's widely acceptable is far better than
> providing a smorgasbord.

Well, hypothetically, say the US prefers spec X and the EU prefers spec
Y.  The goal is that two hosts in the US would always choose spec X and
two hosts in the EU would always chose spec Y.  But when a host in the
US communicates with a host in the EU, we don't really care as
much--they could choose X or Y, so we might as well base it on the
preferences of the passive opener.  However, hard-coding the spec
rankings risks delaying standardization to argue over which specs should
take priority.

David