Steve,
Your observation about extra pieces of information (what
algorithm suites do you support) gets at the heart of a concern of
mine. I agree completely. I do fear that this EDE2 vs. EDE3 vs.
vanilla DES discussion is not easily resolved in terms of "how good is
good enough."
Despite papers describing how one might attack DES using
massively parallel machines, and with parameters based on known
plaintext attacks against ECB mode, we have never seen any indication
of such devices being developed, the thorough analysis of the
feasiblity of building and maintaining them, the added work factor
implied by use of CBC or CFB, etc. I was a member of a
(NIST-assembled) group that investigated the DES over 15 years ago
when many of these discussions were first taking place. I've seen no
substantive progress on breaking a full, 16-round DES reported
anywhere, despite a decade and a half of work by a wide variety of
very talented people around the world. So, a decision to move from
this point and adopt a higher work factor algorithm (with degraded
performence) is not likely to be justified by good some quantitative
measure of risk.
Steve