On Tue, August 23, 2016 3:53 pm, Paul Hoffman wrote:
[snip]
> I may have misunderstood his proposal because he also wanted to demote
> AES-128 from MUST to MUST-. I object on the grounds that we have no idea
> if there will quantum-capable computers that can erode AES-128 in the
> foreseeable future, and that even if a dedicated adversary could weaken
> AES-128 to say 80 bits of strength, that we would want to say to all
> developers "don't implement this".
Yeah, I also disagree with the demotion of AES-128 to MUST-. It's the
most widely deployed now, and when Q-C happens we can turn it off with a
config change and work to remove it at that time. I also see no reason to
prefer *using* AES-256 today over AES-128, except, perhaps, for 10-30-year
PFS against a potential Q-C that could bring the 128-bit down to 64-bit
security. But this also assumes an adversary that is recording and
storing all encrypted communications for the next 10-30 years until a Q-C
can be built to break it.
> --PaulH
-derek
--
Derek Atkins 617-623-3745
de...@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
