Re: Last ditch proposal for crypto suites

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 1:24 PM -0400 8/29/02, Steven M. Bellovin wrote:
>If I understand you correctly, you're saying that implementors and/or
>administrators are making different choices on what combinations to
>offer, thus hurting interoperability?

Partially right. The other part that is making interoperability hard 
is that there are options for both Phase 1 and Phase 2. Almost no one 
in their right mind would really mean that Phase 1 be protected with 
DES and Phase 2 be protected with TripleDES, but many UIs make that 
easy to do.

If we go with suites, I strongly suspect this WG will pick sensible 
ones. Having ten or twenty choices is not a problem if they are 
clearly named, such as "Suite A". If a GUI wants to say "Suite A 
(TripleDES, SHA-1, Group 2, no PFS)" that's fine, but for a VPN 
administrator talking to another administrator to be able to be able 
to say "use Suite D" would make interop incredibly simpler.

>   That suggests that even if we
>stick with a la carte, we should specify which combinations MUST be
>offered, from among the standard algorithms (subject to administrator
>security override, of course).

And thereby get into GUI messes.

--Paul Hoffman, Director
--VPN Consortium