
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    <br>

    <div class="moz-cite-prefix">On 11/04/2015 23:19, Ian G wrote:<br>

    </div>

    <blockquote cite="mid:55299DFE.1050403@iang.org" type="cite">

      <meta content="text/html; charset=windows-1252"

        http-equiv="Content-Type">

      <br>

      <br>

      <div class="moz-cite-prefix">On 11/04/2015 21:21, Ben Laurie

        wrote:<br>

      </div>

      <blockquote

cite="mid:CAG5KPzxH+36m88N+cES5uo7xiecYAdsUdBXvuZXwpa0Pfzr_Lg@mail.gmail.com"

        type="cite">

        <div dir="ltr">On 11 April 2015 at 19:50, Bill Frantz <span

            dir="ltr"><<a moz-do-not-send="true"

              href="mailto:frantz@pwpconsult.com" target="_blank">frantz@pwpconsult.com</a>></span>

          wrote:<br>

          <div class="gmail_extra">

            <div class="gmail_quote">

              <blockquote class="gmail_quote" style="margin:0 0 0

                .8ex;border-left:1px #ccc solid;padding-left:1ex"><span

                  class="">

                  <blockquote class="gmail_quote" style="margin:0 0 0

                    .8ex;border-left:1px #ccc solid;padding-left:1ex">

                    Newer does not necessarily mean better,<br>

                    especially in the security field, and in fact

                    something that has stood<br>

                    the test of time may actually be _better_ than

                    something entirely<br>

                    newfangled.<br>

                  </blockquote>

                </span></blockquote>

              <div><br>

              </div>

              <div>Wat? This is crazy talk.</div>

              <div><br>

              </div>

              <div>Clearly the only sane policy is to believe that the

                latest version of X is the most secure. And if you know

                about X you ought to also know about the problems with

                X-1, X-2,.... So, sure, each end indicates which

                versions it is prepared to use, but of the intersection,

                _surely_ highest wins?</div>

            </div>

          </div>

        </div>

      </blockquote>

      <br>

      <br>

      Well, not totally crazy, just maybe tricky.  Case in point, later

      generations of Skype since about 2009 have decreased security

      & privacy by sharing with Redmond and Maryland.  But the

      counter to that is that the sane mass-user policy is still to

      accept the version upgrades, until the point of abandoning the

      product.<br>

    </blockquote>

    <br>

    And of course once we accept the policy that latest is best, the

    attacker is now incentivised to attack the version provider.  Hence,

    NIST's recent troubles, and frequent grumbles about NSA people in

    IETF WGs voting for more complicated versions of protocols.<br>

    <br>

    <br>

    <br>

    iang<br>

  </body>

</html>