On Tue, 4 Mar 2008, David Crick wrote:
I really would *ideally* like to see just one cipher suite, which I see
could see would be: SHA384-AES256-ECC384_DH_DSA.
I'm with you on the one cipher suite. I think good protocols must have
methods by which new ciphers can be added (and implementors might actually
want to have them in the code and tested and ready should they need to
enable them), but the more options we add to a cipher suite, the more that
can go wrong.
(This is also my argument for why we should be using Whirlpool with AES,
but the counter argument of popularity/support for the second-gen SHAs
probably out-weighs it.)
Ian G. has written about this a lot, and he and I don't always agree on
everything, on this point, we do. OpenPGP already wants to do what I want
it to do; except the current notion is that if a cipher is broken,
everyone will disable support for it. That might have been a reasonable
assumption when only cypherpunks were using it, but it is naive now. If
you give the user a way to break their security, they will -- especially
if "not doing something" means breaking their security.
(As for which ciphers should go in, I'm going to remain agnostic. I would
pick differently than you did, but we all have our pet favorites. What
matters is that we limit the avenues of attack -- it's not about putting
all our eggs in one basket, as some confused people think; rather, it's
about limiting the possible crypto-level attacks on has available to them
when trying to break the system.)
--Len.