On Thu, 14 Dec 2017 16:45:57 -0800 Colm MacCárthaigh <c...@allcosts.net> wrote:
> But what would that look like? What would we do now, in advance, to > make it easy to turn off AES? For example. I think this is the wrong way to look at it. From what I'm aware nobody is really concerned about the security of AES. I don't think that there's any need to prepare for turning off AES. The problem with PKCS #1 v1.5 is that it survived so long *after* its was known that it was bad. I really recommend everyone who wants to know how protocols go bad to read up on the Bleichenbacher countermeasures in TLS 1.0, 1.1 and 1.2 - and particularly the last one. The chapter in 1.2 is a nightmare and I seriously fail to understand how anyone could have seen that and think it's a good idea to do that in order to stay compatible with a standard that was already deprecated at that point. We know that when this group decided to deprecate both PKCS #1 1.5 and RSA encryption that there were people trying to lobby against that. I'm glad that this wasn't successful. I think the takeaway is just as simple as this: If you know an algorithm is bad get rid of it and don't try to "rescue" it over into the next protocol. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
