[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last ditch proposal for crypto suites
At 1:24 PM -0400 8/29/02, Steven M. Bellovin wrote:
>If I understand you correctly, you're saying that implementors and/or
>administrators are making different choices on what combinations to
>offer, thus hurting interoperability?
Partially right. The other part that is making interoperability hard
is that there are options for both Phase 1 and Phase 2. Almost no one
in their right mind would really mean that Phase 1 be protected with
DES and Phase 2 be protected with TripleDES, but many UIs make that
easy to do.
If we go with suites, I strongly suspect this WG will pick sensible
ones. Having ten or twenty choices is not a problem if they are
clearly named, such as "Suite A". If a GUI wants to say "Suite A
(TripleDES, SHA-1, Group 2, no PFS)" that's fine, but for a VPN
administrator talking to another administrator to be able to be able
to say "use Suite D" would make interop incredibly simpler.
> That suggests that even if we
>stick with a la carte, we should specify which combinations MUST be
>offered, from among the standard algorithms (subject to administrator
>security override, of course).
And thereby get into GUI messes.
--Paul Hoffman, Director
--VPN Consortium