[Cryptography] upgrade mechanisms and policies

Ian G iang at iang.org
Sun Apr 12 11:44:03 EDT 2015 

On 11/04/2015 12:52, Michael Kjörling wrote:
> On 10 Apr 2015 23:28 -0700, from frantz at pwpconsult.com (Bill Frantz):
>> The only issue with only one crypto suite per version is that you
>> can't assume that version n+1 is better than version n.
> On what basis however can we assume that a hypothetical future TLS 1.5
> will be "better" (either in some objectively measurable sense, or in
> every sense) than a likewise TLS 1.4?


We assume that the package preparers know more than the users. Fairly 
safe assumption in the aggregate.  Obviously it breaks down with some 
people and some times.  But 90% of those discussions are esoteric.  9% 
reasonable people can disagree, but the package choice is still fine for 
the most.  1% might well be right, the choice is bad, or less good.

> The above is certainly a valid argument to consider, but it falls
> apart pretty quickly if we don't at the very least define what
> "better" actually _means_.


Indeed.  But the users are typically orders of magnitude less capable of 
figuring it out than the devs.  Certainly in security, and definitely in 
suite choices.


> Newer does not necessarily mean better,
> especially in the security field, and in fact something that has stood
> the test of time may actually be _better_ than something entirely
> newfangled.
>
> Even just because such a hypothetical TLS 1.5 would have a larger
> number of algorithms to choose from than 1.4 (in the name of backward
> compatibility) that does not necessarily make it better. (Anywhere
> there is mutual automated negotiation and choosing between, for some
> meaning of the terms, "better" and "worse" options, there exists the
> possibility of downgrade attacks like the one we have just seen,
> whether in the face of implementation bugs or where the negotiation
> can be disrupted.)

Oof... that is what this whole thread is about - getting rid of all that 
choice.  More choice is always more bad for general users.

The question we are trying to answer is whether there is *any general 
case where any user choice in security* is better than no choice at all.



iang

More information about the cryptography mailing list