[Cryptography] WireGuard

[Viktor Dukhovni]

On Thu, Aug 30, 2018 at 04:56:12PM +0100, Howard Chu wrote:

> Why is that clever? Crypto algorithms have relatively short lifespans. Without startup negotiation,
> whatever version of Wireguard you deploy today will have to be completely thrown away within a few
> years. How are you going to coordinate the deathmarch upgrades then?

The right way to do single-suite protocols, is to tie all the choices
to a single protocol version.  For shiny new parameters, bump the
protocol version.  Client proposes its list of protocol versions,
and server chooses the highest supported.  If some protocol version
later proves vulnerable to downgrades of this negotiation step,
support for that version is expeditiously phased out.

This model typically means that security protocols are vertically
integrated with the application, since general-purpose security
protocols (e.g. TLS) tend to have to accomodate a range of requirements
that makes a single choice of cryptographic parameters difficult.

-- 
	Viktor.