Paul,
...
It's good to remember the reason that 256-bits keys for AES were specified,
i.e., as a hedge against someone building a quantum computer. So, unless the
data being encrypted is expected to have a lifetime far enough into the future
as to merit protection against that concern, the extra time needed to perform
AES-256 vs. AES-128 does not seem justified.
Steve
That’s a good argument for a user choosing to use AES-128 rather than AES-256.
But it doesn’t really address why “SHOULD implement” isn’t justified — the
implementation cost is trivial and if it isn’t used it has no performance
impact.
paul
I have been told by some commercial security consultants that their
customers believe that
bigger is more secure, and thus they should mandate use of longer key
lengths if they
are available. If that report is accurate, then making AES-256 a SHOULD
(vs. a MAY)
creates a situation where the performance penalty will be incurred, for
no good reason.
But, I'm not going to fall on my sword for this.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
