RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

["Yoav Nir" <ynir@CheckPoint.com>]

It MAY be simple, but it is wrong, so it SHOULD NOT be used.  WEP offers
128-bit keys, but only 24-bit security (or 12, depending on your definition)

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of David Wagner
Sent: Monday, June 16, 2003 6:39 AM
To: ipsec@lists.tislabs.com
Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms


Yoav Nir wrote:
>Why not make the requirement about effective strength?  That way, if ever
it
>turns out that AES_128 can be broken in 2**90 steps, it automatically
>becomes a SHOULD NOT.

I don't recommend this.

I can just see the debates this might spawn.  Cryptographers
already can't agree whether the Courtois-Pieprzyk attack works or
not, and that might be a 2^80 attack on AES -- if it works
(which nobody knows).

I'd recommend to keep it simple.  KISS.  Isn't it easier to simply write
that implementors SHOULD NOT use key sizes shorter than the default
key size?