"Perry E. Metzger" <pe...@piermont.com> writes: >At the very least, anyone whining at a standards meeting from now on that >they don't want to implement a security fix because "it isn't important to >the user experience" or adds minuscule delays to an initial connection or >whatever should be viewed with enormous suspicion.
I think you're ascribing way too much of the usual standards committee crapification effect to enemy action. For example I've had an RFC draft for a trivial (half a dozen lines of code) fix for a decade of oracle attacks and whatnot on TLS sitting there for ages now and can't get the TLS WG chairs to move on it (it's already present in several implementations because it's so simple, but without a published RFC no-one wants to come out and commit to it). Does that make them NSA plants? There's drafts for one or two more fairly basic fixes to significant problems from other people that get stalled forever, while the draft for adding sound effects to the TLS key exchange gets fast-tracked. It's just what standards committees do. (If anyone knows of a way of breaking the logjam with TLS, let me know). Peter. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
