Hi Kurt, On 02 Jan 2014, at 21:51, Kurt Roeckx <k...@roeckx.be> wrote:
> On Thu, Jan 02, 2014 at 09:33:24PM +0100, Aaron Zauner wrote: >>> I *think* they want to prefer CAMELLIA to AES, judging by the published >>> ciphersuite. >>> But the construction must be wrong because it returns AES first. If the >>> intent is to >>> prefer Camellia, then I am most interesting in the rationale. >> Thanks for reporting this! >> >> Yes. The intent was to prefer Camellia where possible. First off we wanted >> to have more diversity. Second not everybody >> is running a sandybridge (or newer) processor. Camellia has better >> performance for non-intel processors with about the >> same security. > > I know that for AES people having been putting an effort in making > this constant time. Having AES-NI clearly helps with this. I > can't say the same for Camellia and so think it doesn't make sense > to prefer it over AES. Yes. > NSS/Firefox currently still has Camellia as first non-ECDHE and > as result does use it for sites supporting it. But as far as I > know it's the only browser supporting it, and the next version is > going to prefer AES over Camellia all the time which resulted in > it's usage going from about 5% to as good as 0%. Sadly, yes. Camellia is a good cipher, but with AES-NI it’s almost irrelevant to TLS traffic. > There has also been talk about either disbaling it by default > or even dropping support for it but that currently didn't happen > yet. That’s a good point. We might want to review this decision. We generally do that during meet ups (are reported onto the ML) or on the mailing list. What’s the take on the ChaCha20/Poly1305 proposal by the Mozilla Sec. Team by the way? Thanks, Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
