On Thu, May 15, 2014 at 7:05 AM, Salz, Rich <rsalz@akamai.com> wrote: > Suggested is better than recommended, but I would still prefer to see > something like “suggest these be provided by implementations” or something, > and not necessarily suggested for use. > > > > Perhaps I am just being thick-headed or stubborn, but I still don’t > understand the objection to warning developers away from certain > mechanisms. That advice is incomplete, but it’s not wrong and it’s not > going to get outdated. > Rich, The problem is, the advice you wish to add IS wrong, as has been pointed out previously. Or more aptly, whether or not it's Right or Wrong depends on which use case and what security goals you have - and that's something the spec has explicitly tried NOT to mandate. Are the statements about various attacks factually correct? Yes. Does it generalize to a set of advice? Well, no. That's the problem. As you can read in Rogaway's paper that Vijay referenced, there are combinations of (CTR, CBC) modes that have strong security properties - and there are ways to construct AEAD ciphers as general constructions that do not. > At some point soon, someone will want to register Curve25519/Ed25519 for > use, which is the whole point of registration, right? It’s a point-in-time > statement. So are attacks and weaknesses. “It gets better” to mis-use a > phrase. > > > > I’m away this week (IETF TLS WG), but if someone thinks talking would help > enlighten me, that’s fine. > > > > > > /r$ > > > > -- > > Principal Security Engineer > > Akamai Technologies, Cambridge, MA > > IM: rsalz@jabber.me; Twitter: RichSalz >
Received on Thursday, 15 May 2014 17:12:48 UTC