Russ Housley wrote:
Bill:
I decided not to respond immediately to your note. Instead, I thought
about it over the weekend. Here is my argument for selecting at least
one of these modes as REQUIRED.
We know that the current REQUIRED algorithm is not as robust as we would
like. It is not so flawed that we need to rush to a new one, but we
should plan an orderly migration. By making one of these algorithms
REQUIRED, we are telling implementors where we are going.
I would like to see AES128-CTR be REQUIRED.
Rather than making newmodes specify a REQUIRED cipher as an
indication of direction, we could indicate it directly using
text of some form:
It is widely recognized that the 3des-cbc cipher mode that
is required by [TRANS] is a relatively weak cipher; however,
other alternatives (such as the aes128-ctr mode described
in this document) do not yet have the same level of common
hardware based support as 3des-cbc or they may be too
expensive to implement in hardware for some applications.
As such, no cipher mode described in this document
is REQUIRED; however, implementations SHOULD support
at least aes128-ctr.
At some future point, aes128-ctr may become a required
cipher.
This would be my preferred solution.