On Tue, August 23, 2016 3:53 pm, Paul Hoffman wrote: [snip] > I may have misunderstood his proposal because he also wanted to demote > AES-128 from MUST to MUST-. I object on the grounds that we have no idea > if there will quantum-capable computers that can erode AES-128 in the > foreseeable future, and that even if a dedicated adversary could weaken > AES-128 to say 80 bits of strength, that we would want to say to all > developers "don't implement this".
Yeah, I also disagree with the demotion of AES-128 to MUST-. It's the most widely deployed now, and when Q-C happens we can turn it off with a config change and work to remove it at that time. I also see no reason to prefer *using* AES-256 today over AES-128, except, perhaps, for 10-30-year PFS against a potential Q-C that could bring the 128-bit down to 64-bit security. But this also assumes an adversary that is recording and storing all encrypted communications for the next 10-30 years until a Q-C can be built to break it. > --PaulH -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec