[Cryptography] open questions in secure protocol design?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Jun 1 03:21:29 EDT 2015
On Mon, Jun 01, 2015 at 01:19:17AM +0100, Stephen Farrell wrote:
> I wonder if an "at most two" protocol restriction could work.
>
> Probably not though, even if we designed protocols with a 1
> or 2 bit algorithm id field I bet implementers on the receiver
> side would still try out old stuff to see if it works even
> after we'd all agreed to deprecate the last-but-one old/crap
> thing.
Two is too few in any case. There needs to be a way to start using
a bleeding edge new algorithm without immediately deprecating the
backwards-compatible legacy algorithm. So I see 3 as the minimum.
* Bleeding edge
* Mainstream
* Legacy
Once support for the mainstream algorithm is essentially universal,
it becomes the legacy, and the "bleeding edge" becomes mainstream.
At that point it becomes possible to introduce a new bleeding edge
algorithm.
In terms of where to start practicing this, I think that DNSSEC is
a reasonable place to start retiring legacy algorithms once we have
a new EC signature scheme from CFRG. All algorithms prior to 7
should go (and perhaps the GOST algorithms should also be deprecated).
--
Viktor.
More information about the cryptography
mailing list