Bringing this back to TLS-WG territory. Deprecating algorithms is hard work and can take a long time. Having been through MD5, RC4, 3DES, SHA1 deprecations and CBC de-prioritisations, it was a lot of work and network effects work against rapid changes.
What else could we be doing here? One option might be to say that implementations should aways maintain at least two active algorithms for everything, both used with some frequency, and hence both likely to be optimized, the goal being to be able to turn off one at a moments notice with no availability or performance impact. But what would that look like? What would we do now, in advance, to make it easy to turn off AES? For example. On Thu, Dec 14, 2017 at 2:58 PM, Watson Ladd <watsonbl...@gmail.com> wrote: > Let's not forget defense 0: migrating away from broken algorithms > (which means turning them off). The fact that we didn't switch MTI > away from RSA encryption in TLS 1.1 after these attacks were > disclosed, or even in TLS 1.2, means that we've got a very long time > before some sites can turn off these algorithms. Given that some > places can't turn off SSL v3, it's not clear we can ever turn off a > widely implemented protocol. > > Sincerely, > Watson Ladd > -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
