On Thu, Jan 02, 2014 at 09:33:24PM +0100, Aaron Zauner wrote: > > I *think* they want to prefer CAMELLIA to AES, judging by the published > > ciphersuite. > > But the construction must be wrong because it returns AES first. If the > > intent is to > > prefer Camellia, then I am most interesting in the rationale. > Thanks for reporting this! > > Yes. The intent was to prefer Camellia where possible. First off we wanted to > have more diversity. Second not everybody > is running a sandybridge (or newer) processor. Camellia has better > performance for non-intel processors with about the > same security.
I know that for AES people having been putting an effort in making this constant time. Having AES-NI clearly helps with this. I can't say the same for Camellia and so think it doesn't make sense to prefer it over AES. NSS/Firefox currently still has Camellia as first non-ECDHE and as result does use it for sites supporting it. But as far as I know it's the only browser supporting it, and the next version is going to prefer AES over Camellia all the time which resulted in it's usage going from about 5% to as good as 0%. There has also been talk about either disbaling it by default or even dropping support for it but that currently didn't happen yet. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto