[Cryptography] upgrade mechanisms and policies
Ian G
iang at iang.org
Sun Apr 12 03:39:08 EDT 2015
On 11/04/2015 23:19, Ian G wrote:
>
>
> On 11/04/2015 21:21, Ben Laurie wrote:
>> On 11 April 2015 at 19:50, Bill Frantz <frantz at pwpconsult.com
>> <mailto:frantz at pwpconsult.com>> wrote:
>>
>> Newer does not necessarily mean better,
>> especially in the security field, and in fact something that
>> has stood
>> the test of time may actually be _better_ than something entirely
>> newfangled.
>>
>>
>> Wat? This is crazy talk.
>>
>> Clearly the only sane policy is to believe that the latest version of
>> X is the most secure. And if you know about X you ought to also know
>> about the problems with X-1, X-2,.... So, sure, each end indicates
>> which versions it is prepared to use, but of the intersection,
>> _surely_ highest wins?
>
>
> Well, not totally crazy, just maybe tricky. Case in point, later
> generations of Skype since about 2009 have decreased security &
> privacy by sharing with Redmond and Maryland. But the counter to that
> is that the sane mass-user policy is still to accept the version
> upgrades, until the point of abandoning the product.
And of course once we accept the policy that latest is best, the
attacker is now incentivised to attack the version provider. Hence,
NIST's recent troubles, and frequent grumbles about NSA people in IETF
WGs voting for more complicated versions of protocols.
iang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150412/a67b1957/attachment.html>
More information about the cryptography
mailing list