On Sun, Mar 26, 2023 at 9:49 AM AJITOMI Daisuke <[email protected]> wrote: > Taking Ilari's post into account, I would like to take some time to > reconsider my proposal and your raised issue.
The following article is a good summary of a modern take on the concerns related to "cryptographic agility": https://www.blockchaincommons.com/musings/musings-agility/ The Data Integrity work that is happening at the W3C, in the Verifiable Credentials WG, is an example of an approach that attempts to greatly reduce the number of parameters that a non-expert developer has access to when configuring cryptographic systems: Approaches such as "cryptographic agility", "cryptographic layering", and versioning are covered here: https://www.w3.org/TR/vc-data-integrity/#agility-and-layering https://www.w3.org/TR/vc-data-integrity/#versioning-cryptography-suites The design philosophy behind that approach is the notion that a non-trivial number of developers that utilize cryptographic libraries in application-space are ill equipped to know how to properly choose cryptographic parameters, so exposing them to the ability to configure those parameters is less safe than choosing good defaults for them. Choosing between P256 or RS256 or HS256, or why one would use SHA2-256 or SHAKE-256, and so on are difficult choices for non-experts. Therefore, the "cryptosuites approach" attempts to provide reasonable defaults (with new versions released when needed) to those developers such that the chances of them trying to work with parameters that they don't have the skillset to pick are greatly reduced (or, ideally, eliminated). This is the approach that systems like Wireguard have taken in the Linux kernel. Reduction in parameter choice in cryptographic algorithms also leads to, as has been noted in this thread, less fan-out and thus an easier audit surface and a reduced attack surface. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/ _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
