Re: Your DISCUSS on draft-ietf-secsh-newmodes-05

[pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)]

Thor Simon <tls%cs.stevens.edu@localhost> writes:

>My opinion is that AES-CBC and AES-CTR ought to be REQUIRED.  I think that
>the people objecting that it might be too hard to add support for additional
>cipher should be, if they're speaking of their own implementations, ashamed
>of themselves -- or if they're speaking of some hypothetical "other"
>implementation, brought back in touch with reality: adding support for
>another common cipher is just not difficult,

So they can just go out and update their deployed crypto hardware using a
strong magnifying glass and very small tweezers or something?  AES-CTR is
problematic because support for it in crypto hardware is practically
nonexistent (it's only just appeared as a recent update to PKCS #11, and I'm
not aware of any hardware that supports it), and it could be years (if ever)
before it's supported to a useful level.  CBC OTOH is mainstream, anything
that does AES does CBC.  So my preference would be to have none mandatory (for
the reasons given earlier), but if any are REQUIRED then only AES-CBC.  In
fact I wouldn't complain about MUST AES-CBC if people insist.

(Is there such a thing as POSSIBLY REQUIRED for AES-CTR?  If it ends up with
practically no HW support, like OAEP and some other "good idea but no killer
app" mechanisms have in the past, then directing people to it via REQUIRED
isn't doing anyone much of a service).

Peter.