Yes, seriously. Allow me to explain: Secure cryptography is not backwards compatible with insecure cryptography. You can't decrypt an RC4-encrypted message by using AES-GCM.
When engineers develop systems that allow for backwards compatibility on top of incompatible primitives, they're creating room for downgrade attacks [1] [2]. Making a replacement rather than another iteration doesn't carry that risk. And keep in mind, my target audience is the sort that has absolutely no idea how to tell "trivially broken" cryptography from "has a certificational weakness but is otherwise fine". [1] https://www.openssl.org/~bodo/ssl-poodle.pdf [2] https://robotattack.org Whether or not you agree with my decision (your appetite for risk, envisioned use case, and target audience might all be totally different than my own), I don't think it deserves incredulity. (Seriously?) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> On Sat, Apr 28, 2018 at 12:49 PM, Salz, Rich <[email protected]> wrote: > Scott, > > > > If “good and safe” crypto is not 100% in the JOSE ecosystem, you think the > solution is a new standard which uses some novel techniques? Seriously? > To me, a draft which started the process to deprecate the old/bad things > seems more effectsive. >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
