Conversation

Cryptographic agility is the property of supporting multiple crypto algorithms (like ciphers, signature types...) in a single protocol version that are selected and negotiated at runtime. Are you (broadly speaking) a cryptographer, and do you think agility is desirable?
  • Not a c11r, agility good
    21%
  • Not a c11r, agility bad
    57.7%
  • I am a c11r, agility good
    9.1%
  • I am a c11r, agility bad
    12.2%
977 votesFinal results
29
26
If you select "I am a c11r, agility good" I would like to hear from you. I hear all the time from all other three categories, but basically never from this one.
10
12
Replying to
👋 I wouldn't want to jump to SSH3 to SSH4 in order to have a different, say, cipher mode or KEX. We defined KEX, ciphers, and auth as negotiable ID strings for core SSH2 back in '98 and have only updated (essentially) algorithm policies since.
2
2
Replying to
Why do you see the problem of protocol version rollback as easier to manage than some server having an outdated cipher configuration? My experience has been the opposite. The problem with SSH1 was that it wasn't agile *enough*..
1
Replying to and
Because it's much harder to work with "TLS 1.2 is the good one, but only if you use a ECDHE suite, or also DHE but only if your moduli are big enough" than "TLS v25+ is good". I think SSH avoided some of this thanks to OpenSSH being the majority of the ecosystem.
1
1
Replying to and
Well *nix distributions have their own configurations managed by those security teams and that probably helped mostly. Web server configuration was left to web masters! So, in a way, not related to protocol design so much.
1
2
Btw how would having TLSv25 with flexible version negotiation be much different from "cipher suites" ? You'd have transition periods with people with TLSv21 and v23 calling in etc so you'd need that. It would essentially mean just calling "suite" a "version".. same thing.
1
1
You need a versioned protocol unless you get it perfect from the start and anticipate all future needs. You do not need to negotiate anything else, and older protocol versions get phased out. Those wanting to reduce attack surface can phase out the older protocols sooner.
1
Show replies