Hello Michael, hello Larsen,

sorry for not replying a while; xmas is always very busy

>>> There seems to be a problem with the word "recommended". In the
>>> patches
>>> submitted, I recommended always the most strongest cipher.
>>> However,
>>> as
>>> you said, some of them are simply one step too much. Should then
>>> both
>>> be
>>> recommended?
>>
>> I am not sure. Can anyone come up with a more fitting expression?
>> If we
>> mark everything as "recommended" that is strong enough for now
>> after
>> our consideration, we will have most of them tagged with that word.
>> In
>> that case it would make more sense to mark the weak stuff as such
>> to
>> keep readability. Maybe that is the way to go. But does the average
>> Joe
>> know what is meant by "weak"?
> 
> Joe should know enough that "weak" is normally not what is wanted.  
> Otherwise he should RTFM 
> 
> You could recommend the strongest cipher that would take an attacker 
> millions of years to break, but on the other hand force the hardware
> to  
> burn its CPU, while another "not as strong as the recommended one"
> cipher  
> would also take an attacker thousands of years, but not consume that
> much  
> CPU.
Maybe it is better to mark just the weak or broken entries. I agree,
"recommended" is not very specific here - maybe "strongest" would be
better. Especially to mark AES-256-CBC on the OpenVPN main page.

> 
> If we have "weak". Should we have "broken", too? For example we have to
> support MD5. I wouldn't say that MD5 is weak. It is more than that.
Okay, so we have:
MD5		"broken"
SHA1		"weak"
DH-1024-params	"broken" (? not sure about this)
DH-2048-params	"weak"
AES-256-CBC	"recommended"/"strongest" (on OpenVPN page only)

Do you think this is a good way to start? If yes, I could send in some
patches.

> 
> Why should IKEv2 be recommended? AFAIK there are no known design issues
> with IKEv1. Some algorithms might not be available, but this is not an
> issue for now since AES, SHA2, (AKA the strong ones) are supported.
@Michael: That is correct, I did not RTFM. o:-)

Looking forward to hear from you. Happy new year!

Best regards,
Timmothy Wilson