On Sun, Dec 15, 2013 at 11:22:32AM -0500, Julien Vehent wrote: > On 2013-12-15 11:13, Kurt Roeckx wrote: > >On Sun, Dec 15, 2013 at 10:46:04AM -0500, Julien Vehent wrote: > >>On 2013-12-14 19:47, Kosuke Kaizuka wrote: > >>>Camellia is widely reviewed and chosen as a recommended cipher by > >>>several independent committees. > >>>If CAMELLIA_CBC is dropped by security reason, AES_CBC should be also > >>>dropped. > >>> > >> > >>There is another reason to drop CAMELLIA: AES with AES-NI is 8 times > >>faster. AES-NI is supported by the majority of server CPUs right now. > >> > >>Camellia is still fast in software, my laptop computes between 90 and > >>160 MB/s with openssl and an intel cpu. But if we want to provide the > >>fastest response time to users, it's important to consider the server > >>cost on the client side. > > > >It's not because it's enabled that you have to use it. The > >priority of Camellia is now always below AES. If the server > >supports AES it should pick it. > > Right. And by "drop" I really meant "reduce preference of".
Which is what we already did. As Brian's stats show, the reordering has already reduced Camellia's usage to about 0.03%. But some people are also considering disabling it by default, as I think all other where talking in this thread, not just reduce the preference. > For the same reason, the server ciphersuite that we recommend at > https://wiki.mozilla.org/Security/Server_Side_TLS > does not drop Camellia, but lists it at the bottom of the ciphersuite. > It's a safe choice, but not one that we recommend. As far as I know the reasons for not recommending it are: - It's slower - It probably doesn't have much constant-time implementations. So as I understand it, the reason for not recommending it don't have anything to do with the security of Camellia itself. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
