Robert J. Hansen wrote:
Ok - so what's the threat model here? Are we really expecting AES to be
broken anytime soon? Really?
As a police officer friend of mine is fond of saying, nobody wakes up in
the morning and says "today I think I'll need my body armor."
He still packs a firearm, pepper-spray and baton, I guess? :)
I doubt that anyone working on the RFC really expects AES to be broken
any time soon. The inclusion of Camellia as a hedge against unpleasant
surprises, though, seems wise.
I'm not saying that having alternatives to AES is a bad idea, I'm just
saying that CAMELLIA may not be the best choice there. It has not seen a
lot of cryptanalysis over the last couple of years (primarily because
there's almost no interest in it).
Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp