On Wed, 24 Nov 2004 13:32:45 -0500, Michael Weiner
<hunter(_at_)userfriendly(_dot_)net> wrote:
On Wed, 2004-11-24 at 13:25 -0500, Michael Hammer wrote:
Why was Rijndael selected over Twofish for AES? A big part of it was
that Rijndael was faster even though Twofish appears to be stronger.
In the real world we have to make choices based on factors that may
not be considered in a perfect world.
not to belay the issue or trivialize your comments in anyway, but the
issue with Rijndael is that its not widely implemented as it is a fairly
new player to the AES arena.
from an implementor!!
Michael Weiner
I'll belabor it. What other algorithms are you taking about for AES
-1? That is a standard from the U.S. Government for data security
under specified conditions . FIPS 140-2 is the draft. Rijndael was
selected in October, 2000. The fact that the algorithm is available to
the public at large and has or has not had a fast adoption rate
(generally) for other uses has nothing to do with the criteria and
process for selection. How much deployment has there been for
Twofish, MARS, Serpent, or RC6 (which were the other finalists)?
I only gave the example to show why in making choices one might choose
to use A and not B.
Just as with DK vs IIM, it is not likely that over the long run both
will be equally accepted in the marketplace. Are you going to sign
each email with both IIM and DK? I don't think the average mail
admin/domain owner/business will do both for each piece of mail.
People will make their choices based on adoption rates by various
players on the receiving end. If few MTAs check something (and those
MTAs aren't critical to the universe of recipients I am trying to
reach) why would I bother?
This is one of the reasons that so many people are asking for a single
framework/record to cover various proposals. They want a certain
amount of simplicity. Nightmare world for many senders: Forced to
publish and keep track of lots of records for various authentication
schemes because various major receivers (ISPs/companies) impose
different requirements (SPF,SenderID,CSV,BATV,DK,IIM, etc) in order
for mail to get through. To bring it back full circle, are we trying
to fix things (spam, phishing,etc) or destroy mail (in the user sense)
as most people know it?
As usual, just my 2 cents.
Mike