On Oct 11, 2013, at 1:48 AM, ianG <i...@iang.org> wrote:

> What's your goal?  I would say you could do this if the goal was ultimate 
> security.  But for most purposes this is overkill (and I'd include online 
> banking, etc, in that).

We were talking about how hard it is to solve crypto protocol problems by 
getting the protocol right the first time, so we don't end up with fielded 
stuff that's weak but can't practically be fixed.  One approach I can see to 
this is to have multiple layers of crypto protocols that are as independent as 
possible in security terms.  The hope is that flaws in one protocol will 
usually not get through the other layer, and so they won't lead to practical 
security flaws.  

Actually getting the outer protocol right the first time would be better, but 
we haven't had great success with that so far. 

> Right now we've got a TCP startup, and a TLS startup.  It's pretty messy.  
> Adding another startup inside isn't likely to gain popularity.

Maybe not, though I think a very lightweight version of the inner protocol adds 
only a few bits to the traffic used and a few AES encryptions to the workload.  
I suspect most applications would never notice the difference.  (Even the 
version with the ECDH key agreement step would probably not add noticable 
overhead for most applications.)  On the other hand, I have no idea if anyone 
would use this.  I'm still at the level of thinking "what could be done to 
address this problem," not "how would you sell this?"  

> iang

The cryptography mailing list

Reply via email to