Re: [PATCH] Mark recommended ciphers/algorithms

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Mark recommended ciphers/algorithms
Date: Fri, 01 Jan 2016 17:54:06 +0100	[thread overview]
Message-ID: <5686AF2E.8080407@web.de> (raw)
In-Reply-To: <1449767773.31655.108.camel@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 2154 bytes --]

Hello Michael, hello Larsen,

sorry for not replying a while; xmas is always very busy

>>> There seems to be a problem with the word "recommended". In the
>>> patches
>>> submitted, I recommended always the most strongest cipher.
>>> However,
>>> as
>>> you said, some of them are simply one step too much. Should then
>>> both
>>> be
>>> recommended?
>>
>> I am not sure. Can anyone come up with a more fitting expression?
>> If we
>> mark everything as "recommended" that is strong enough for now
>> after
>> our consideration, we will have most of them tagged with that word.
>> In
>> that case it would make more sense to mark the weak stuff as such
>> to
>> keep readability. Maybe that is the way to go. But does the average
>> Joe
>> know what is meant by "weak"?
> 
> Joe should know enough that "weak" is normally not what is wanted.  
> Otherwise he should RTFM 
> 
> You could recommend the strongest cipher that would take an attacker 
> millions of years to break, but on the other hand force the hardware
> to  
> burn its CPU, while another "not as strong as the recommended one"
> cipher  
> would also take an attacker thousands of years, but not consume that
> much  
> CPU.
Maybe it is better to mark just the weak or broken entries. I agree,
"recommended" is not very specific here - maybe "strongest" would be
better. Especially to mark AES-256-CBC on the OpenVPN main page.

> 
> If we have "weak". Should we have "broken", too? For example we have to
> support MD5. I wouldn't say that MD5 is weak. It is more than that.
Okay, so we have:
MD5		"broken"
SHA1		"weak"
DH-1024-params	"broken" (? not sure about this)
DH-2048-params	"weak"
AES-256-CBC	"recommended"/"strongest" (on OpenVPN page only)

Do you think this is a good way to start? If yes, I could send in some
patches.

> 
> Why should IKEv2 be recommended? AFAIK there are no known design issues
> with IKEv1. Some algorithms might not be available, but this is not an
> issue for now since AES, SHA2, (AKA the strong ones) are supported.
@Michael: That is correct, I did not RTFM. o:-)

Looking forward to hear from you. Happy new year!

Best regards,
Timmothy Wilson


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

next prev parent reply	other threads:[~2016-01-01 16:54 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-23 14:18 [PATCH] Disallow OpenVPN DH params less than 1024 bits IT Superhack
2015-11-24 14:14 ` ue
2015-12-01 22:58   ` Michael Tremer
2015-12-02  9:07     ` IT Superhack
2015-12-02 10:47       ` Michael Tremer
2015-12-02 18:19         ` IT Superhack
2015-12-07 16:35         ` [PATCH] Mark recommended ciphers/algorithms IT Superhack
2015-12-10 17:16           ` Michael Tremer
2015-12-13 15:10             ` IT Superhack
2015-12-13 17:47               ` Larsen
2015-12-15 14:13               ` Michael Tremer
2015-12-15 15:03                 ` Larsen
2015-12-15 21:18                   ` Michael Tremer
2015-12-16  8:06                     ` Larsen
2015-12-18 16:12             ` IT Superhack
2016-01-01 16:54             ` IT Superhack [this message]
2016-01-04 16:31               ` Michael Tremer
2016-01-10 16:29                 ` IT Superhack
2016-01-10 22:22                   ` Michael Tremer
2016-01-02 13:03             ` ue
2016-01-04 16:36               ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5686AF2E.8080407@web.de \
    --to=itsuperhack@web.de \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox