[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

Yoav Nir wrote:
>Why not make the requirement about effective strength?  That way, if ever it
>turns out that AES_128 can be broken in 2**90 steps, it automatically
>becomes a SHOULD NOT.

I don't recommend this.

I can just see the debates this might spawn.  Cryptographers
already can't agree whether the Courtois-Pieprzyk attack works or
not, and that might be a 2^80 attack on AES -- if it works
(which nobody knows).

I'd recommend to keep it simple.  KISS.  Isn't it easier to simply write
that implementors SHOULD NOT use key sizes shorter than the default
key size?