[Cryptography] upgrade mechanisms and policies

Adrian Smith adrianrsmith93 at gmail.com
Sun Apr 12 01:06:57 EDT 2015 

>If both parties consider their first 
>4 choices essentially the same with the 5th choice a desperation 
>measure to get some protection, then 81 might be better.

I don't think that is a necessary assumption though. For negotiating acceptable versions, there may be specific versions a user does not trust due to later bug fixes, and I don't think that situation would be completely uncommon. As an example in this scenario, what if Alice has 81 as her last choice because of a known security hole which Bob is unaware of. Perhaps Alice likes version 54 better than 27 because of computational resource considerations, but still considers 27 acceptable from a perspective of security, but Bob believes 54 to have less secrecy. By using ordered priority and picking the average preference number, they compromise slightly to use whichever protocol they can both agree will work, meaning each side will have more confidence in the security of the version.

Thanks,
Adrian Smith
adrianrsmith.com
On 4/11/2015 19:34:02, Bill Frantz <frantz at pwpconsult.com> wrote:
On 4/11/15 at 1:21 PM, ben at links.org (Ben Laurie) wrote:

>Clearly the only sane policy is to believe that the latest version of X is
>the most secure. And if you know about X you ought to also know about the
>problems with X-1, X-2,.... So, sure, each end indicates which versions it
>is prepared to use, but of the intersection, _surely_ highest wins?

This comment brings up an interesting question. Assuming both
ends have a priority order of versions, how do you pick between
versions that are acceptable to both ends. Assume the preference order:

Alice: 54 27 62 11 81
Bob: 81 10 27 22 99

Both Bob and Alice are willing to use versions 27 and 81. 81 is
Bob's 1st choice and Alice's 5th while 27 is Alices 2nd choice
and Bob's 3rd. We might prefer 27, since its average preference
number is higher than 81, but I'm not sure there is a strong
principle for this method. If both parties consider their first
4 choices essentially the same with the 5th choice a desperation
measure to get some protection, then 81 might be better.

Cheers - Bill

--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray

_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150411/0962c89f/attachment.html>

More information about the cryptography mailing list