(LAST CALL) Proposed Issue Resolution: aes128-cbc to REQUIRED

To: ietf-ssh%netbsd.org@localhost
Subject: (LAST CALL) Proposed Issue Resolution: aes128-cbc to REQUIRED
From: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Date: Fri, 19 Dec 2003 13:29:31 -0500

An implementation survey showed that:
 1) almost all implementations support AES
 2) there was little or no opposition to making it mandatory.
 3) while there was some concern about code bloat in requiring both
 3DES and AES, the actual bloat factor was minimal (0.5% to 5%) even
 in constrained implementations and was dwarfed by the variation in
 implementation size brought on by typical space vs. time tradeoffs. 

So I'm proposing that we're going to require both for now.

As always, local policy may cause one or both of these to be disabled
in favor of another locally preferred algorithm; this is purely an
implementation conformance requirement.  I'll note that
extraordinarily resource-constrained but dynamic implementations could
exploit this by not loading code for disallowed algorithms...

Proposed textual change:

In draft-ietf-secsh-transport, section 5.3 (Encryption), change:

    aes128-cbc       RECOMMENDED       AES with 128-bit key
to
    aes128-cbc       REQUIRED          AES with 128-bit key

Please send comments on this change to the WG list by January 5th,
2004.

						- Bill

Prev by Date: (LAST CALL) Re: Implicit server authentication: Proposed clarification
Next by Date: Re: (LAST CALL) Re: Implicit server authentication: Proposed clarification
Previous by Thread: Secure Shell minutes from 58th IETF.
Next by Thread: reference missing in draft-ietf-secsh-transport-17.txt
Indexes:

Home | Main Index | Thread Index | Old Index