Thanks Kathleen, To me, the issue with that para. 2.9 as drafted is one of logic and implicit assumptions.
"Using algorithms that are weak against advanced attackers but sufficient against others is a way to make pervasive surveillance significantly more difficult." In my naive threat analysis, the entities doing pervasive surveillance are precisely advanced attackers (e.g. state intelligence agencies with access to massive-bandwidth data, colossal storage and enormous processor power... and the expertise to design and implement sophisticated attacks). On that basis, terms like "weak", "sufficient", and "significantly more difficult" seem to me to beg the question. To get down to specifics; suppose we're talking about 1990s-style crypto-wars and symmetric algorithms. Would para. 2.9 help us to decide whether, say, 40-bit CDMA increases the work factor sufficiently, over unencrypted traffic, to be worth deploying? Or would we hold out for 56-bit DES? I'm sure there's a valid principle lurking under para. 2.9, but I'm not sure it is currently expressed explicitly enough to provide useful guidance. Maybe that's OK... if explicit guidance is provided elsewhere and I just haven't read it yet. Hope this helps, Robin Robin Wilton Technical Outreach Director - Identity and Privacy On 26 Aug 2015, at 20:09, "Paul Wouters" <[email protected]> wrote: > On Tue, 25 Aug 2015, Kathleen Moriarty wrote: > >> I posted a question to SAAG and would like to see where we are at on >> consensus around a statement that keeps showing up in drafts. >> >> If you could take a look at my message to SAAG (and the thread) and >> chime in there, it would be helpful to know where we are at. I might >> be in the rough, but I'm not so sure that I am... >> >> https://mailarchive.ietf.org/arch/msg/saag/PXrRghfHM-OBj2Y2TniuKptpKCs > > Actually, I agree with you. I do not like the use of "weaker algorithms" > for Opportunstic Security. > > There is no valid reason to design anything that is "weaker" in strength > (eg keysize). I think what might have been meant is "unauthenticated" > versus "authenticated". And that also turns "weak" and "advanced" > attacker into "passive" and "active" attackers. I think that would be > more inline with the discussions we have had regarding opportunistic > security. I have never heard of a proposal from anyone that said "use > AES128 for opportunistc and AES256 for preconfigured security". > > Paul > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
