Jon Callas <jon(_at_)callas(_dot_)org> writes:
At 7:34 PM -0700 4/8/00, Paul Hoffman / IMC wrote:
For the past few months, there has been much talk of the likelihood that
the AES process will come out with two ciphers, not one. This was talked
about at the SAAG meeting in Adelaide, and folks from NIST said that this
was indeed the current thinking.
RFC 2440 and the current 2440bis draft has algorithm IDs that say "Reserved
for AES with 128-bit key" and so on. It might be wise to allocate another
three and specify that the actual algorithms used for IDs 7, 8, and 9 (and
probably 11, 12, and 13) will be defined by a future RFC.
I'm of two minds about this.
Since we're listing reasons for having two AES', here's mine. At RSA2K, people
were making various bets (in some cases rather nontrivial ones) about the
eventual AES. Eric Young and myself were both of the opinion that there'd be
two AES', the main one and a spare in case the other one breaks down. Since
neither of us are betting types, I proposed that if I was wrong I'd wear a
t-shirt which said "Eric was wrong", whereupon he very graciously offered to
wear a shirt which said "Peter was wrong". Because of this I'm rather banking
on there being two AES'. This is a somewhat lesser reason than the ones which
Jon has offered, but it's valid nonetheless.
Peter.