Re: Suggested wording for weak key lengths in IKEv2

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Paul" == Paul Hoffman </ VPNC <paul.hoffman@vpnc.org>> writes:

 Paul> At 3:56 PM -0400 6/26/03, Paul Koning wrote: - A sentence be
 Paul> added to the end of that section as a free-standing paragraph
 Paul> that says: "Implementations that use algorithms with
 Paul> variable-length keys SHOULD NOT use keys that are weaker than
 Paul> the effective strength of ENCR_3DES."
 >> How about "... strength of ENCR_3DES (112 bits)."  Otherwise it
 >> might cause confusion, because some will think that this rules out
 >> 128-bit keys, which isn't the intent.

 Paul> As noted on the list, not everyone agrees that the effective
 Paul> strength of TripleDES is 112 bits, given differing values for
 Paul> amount of RAM and so on. I think it is better to just leave it
 Paul> as "effective strength" and let folks decide what that means.

 Paul> If anyone reads the sentence and think that it means that
 Paul> AES-128 (which is listed as a SHOULD) is weaker than TripleDES,
 Paul> well, I don't think I would call them an implementer that we
 Paul> need to worry about...

I'm sorry I have to disagree.  You seem to assume, or expect, that
implementers have significant knowledge of cryptography.  That isn't
always true, and I don't think it should be a requirement.

I mentioned earlier that I don't really like talking about "effective
strength" in the first place since it's so much subject to debate and
opinion.  Can we just talk about raw key lengths?  If so, then 128 is
a good limit.

     paul