<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 11/04/2015 23:19, Ian G wrote:<br>
</div>
<blockquote cite="mid:55299DFE.1050403@iang.org" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 11/04/2015 21:21, Ben Laurie
wrote:<br>
</div>
<blockquote
cite="mid:CAG5KPzxH+36m88N+cES5uo7xiecYAdsUdBXvuZXwpa0Pfzr_Lg@mail.gmail.com"
type="cite">
<div dir="ltr">On 11 April 2015 at 19:50, Bill Frantz <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:frantz@pwpconsult.com" target="_blank">frantz@pwpconsult.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Newer does not necessarily mean better,<br>
especially in the security field, and in fact
something that has stood<br>
the test of time may actually be _better_ than
something entirely<br>
newfangled.<br>
</blockquote>
</span></blockquote>
<div><br>
</div>
<div>Wat? This is crazy talk.</div>
<div><br>
</div>
<div>Clearly the only sane policy is to believe that the
latest version of X is the most secure. And if you know
about X you ought to also know about the problems with
X-1, X-2,.... So, sure, each end indicates which
versions it is prepared to use, but of the intersection,
_surely_ highest wins?</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
Well, not totally crazy, just maybe tricky. Case in point, later
generations of Skype since about 2009 have decreased security
& privacy by sharing with Redmond and Maryland. But the
counter to that is that the sane mass-user policy is still to
accept the version upgrades, until the point of abandoning the
product.<br>
</blockquote>
<br>
And of course once we accept the policy that latest is best, the
attacker is now incentivised to attack the version provider. Hence,
NIST's recent troubles, and frequent grumbles about NSA people in
IETF WGs voting for more complicated versions of protocols.<br>
<br>
<br>
<br>
iang<br>
</body>
</html>