On Tue, Dec 16, 2014 at 05:11:34PM +0100, Hubert Kario wrote:
> there are few issues still
> - aRSA preferred before aECDSA
> - AES256 before AES128 in general
> - few export grade ciphers placed before secure ciphers
> - 3DES is placed arbitrarily
>
> I'd prefer not only change the order, but also say what was the intent and
> what is the preferred ordering (which keys are used for ordering), so that
> when new ciphers come, it will be more or less obvious where they should be
> placed
In particular there MUST NOT be any fragile hand-tuning. All
ordering needs to be based on general principles.
One might for example say that any CBC cipher at 128+ bits gets a
baseline sorting strength of 128 bits. One might then apply either
"@STRENGTH" or "@SPEED" (new), the first of which adds "1" to any
CBC cipher whose key is longer than 128-bits, the second to those
that are equal to "128" bits.
With AES AEAD the baseline could be "129", with similar "STRENGTH"
vs. "SPEED" boosts. Which would ensure that AEAD@128 beats CBC@256.
However, where do we fit ChaCha20/Poly-1305? Again, not hand-placement,
but some extensible algorithm.
--
Viktor.
_______________________________________________
openssl-dev mailing list
[email protected]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
