[Cryptography] a question on consensus over algorithmic agility

[John Kelsey]

> On Jun 27, 2014, at 9:32 AM, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
...
> I was almost convinced, for a moment. Two or maybe three suites, only SHALLs allowed, so there is no question of whether a suite is installed or fit for purpose - sounds good.
> 
> But who decides when to stop using an algorithm suite?  The luser client? The boss server?
> 
> It's certainly not the cryptologist.

I'm working on the assumption that the knowledge that a given ciphersuite has problems will, in fact, get around and eventually lead to people being willing to turn off one of the ciphersuites, *if* there's a workable alternative.  I mean, there are a lot of ways this can go wrong, but right now, we see situations where people who listen to cryptographers (in the rare occasions when we mostly agree) still can't stop using stuff like RC4, because then they can't communicate with the rest of the world.  

The main point I want to make:  Having one SHALL ciphersuite and lots of MAY or SHOULD ciphersuites doesn't really give you any reliable ability to recover if your SHALL ciphersuite is broken.  Having two or more SHALL ciphersuites gives you some chance that you can switch over to an unbroken ciphersuite.  

More broadly, the kind of algorithm flexibility that matters for security is the ability to *stop* using an algorithm.  Adding Triple-Twofish-CMAC to 10% of the devices you communicate with doesn't do much good, if you can't stop using RC4+CRC32 because it's the only thing everyone implemented.  

> -- Peter Fairbrother

--John