On Thu, Feb 17, 2005 at 03:01:29PM +0000, Ian G wrote:
David Shaw wrote:
Rather than trying to jury-rig something together to allow using other
hashes, I think I would rather just declare a V5 key format (which can
be essentially the same as V4), which uses a different hash. Users
can continue using V4 keys as long as they desire, and developers will
have time to add support for V5 so it's ready when it is needed. This
ties in neatly with other things recently discussed here : for
example, a V5 key could be said to have AES as the default algorithm.
Having now read the "note" that the Shandong
team distributed, I'm less inclined to think this
is the end of the world. See my blog for some
snippets.
Declaring a need for a V5 key makes a lot of
sense, if we believe that we can survive that
long. However, the first thing would be that
I'd say a redesign of the key structure would
be better than just a minor change to one
element. I don't think it's worth carring the
costs of an entire new key structure in code
without making it worth carrying on for the
next N decades.
We're much in agreement, though I don't forsee any key version making
it much beyond 10-15 years. The technology changes, and there is no
easy way to get around that. V4 keys have lasted for around 7-8 years
now, and will likely hang on for years to come; that's a pretty good
run. I think designing a V5 key that will last much longer than that
is not possible without a crystal ball. The best we can do is to
design it to last as long as possible, and know that someday we'll be
making a V6 key.
My main argument for a V5 key is that doing patch work on V4 has the
potential to split the installed base into "old V4" and "new V4".
Rather than end up like that, just call "new V4" "V5" instead. It is
also an opportunity to fix the handful of little details that bug
people about V4: the default cipher can be AES instead of 3DES. The
key expiration dates can be hard or soft (not just soft as in V4).
And so on.
I don't know that this should necessarily be in 2440bis, though, or
2440bis may never be released.
David