[Cryptography] open questions in secure protocol design?

[Stephen Farrell]

On 23/05/15 17:19, ianG wrote:
> 
> 
> 1.  One True Cipher Suite versus Algorithm Agility?

The former simply does not work as an engineering concept.

Performance counts. Systems with AES h/w come in two practical
flavours: CCM and GCM and those do not interoperate. There are
also systems without crypto h/w instructions that need to use
something in s/w such as chacha.

Those facts are IMO entirely sufficient to demonstrate that
the 1TCS concept doesn't work, except in an alternate universe
where you control all platforms.

The performance and security characteristics of platforms will
also vary over time, say if in a few years OCB ended up being
added to systems that now do either GCM or CCM and provided a
way to get interop between many more systems whilst using AES
h/w. That would be a good reason to start wanting to see OCB
ciphesuites.

I would really like to see us (IETF and more broadly) make
progress on limiting pointless ciphersuite proliferation but
the 1TCS concept is just a distraction that makes real progress
harder to achieve IMO.

We ought be concentrating on how to do the agility thing but
*much* better than we have to date (so including ways to get
rid of useless/unused cruft) but we should not be pursuing an
apparent ideal that is really a broken idea.

S.