Hi! > > I'm not exactly sure what the camellia crap is doing there and this > > looks fishy and overly complicated to me in many ways, but anyway: > Because - you know - what if AES is backdoored by NSA or something. Oh well... It all began with removing weak ciphers; at the time the ecrypt paper stated that CAMELLIA as well as AES was just fine. Now as Firefox/Thunderbird dropped support, removing CAMELLIA is just fine.
> While we're add it; especially for HTTPS: I think it would make a lot of > sense to get rid of the Cipherstring-A. It's not used anywhere in the actual > Applied Crypto Hardening document and I think current browsers will have a > hard time establishing any connection with that preferred suite. Actually cipherstring A was never meant to be defined by us. It was meant to be defined by the admin who knows more about the environment and the clients connecting whereas cipherstring B was designed to work 'everywhere' -- a secure, general purpose cipher string that works with OpenSSL v0.9.8 as well as v1.0.2. I rather believe we should rename cipherstring B to C and define a next generation cipherstring B using something like OpenSSL v1.0.1 as a baseline (we, of course, need to evaluate current distributions and the OpenSSL versions used there). -- Adi
signature.asc
Description: Digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
