On Tue, Jul 07, 2026 at 10:31:25PM -0400, Paul Wouters wrote:
> Yes, a lot of crypto agility is bad. Some crypto agility is good. [...]
And no agility isn't possible [for long]. That's the point.
We can argue over details, but not that it's fundamentally bad because
it's... not quite fundamentally necessary, but so far it has been close
to fundamentally necessary, and it will continue to be necessary for a
long time.
Principles first:
1) avoid two-layer negotiations like they are a plague,
(e.g., HTTP negotiating auth methods, and then Negotiate [RFC 4559]
w/ SPNEGO negotiating from many GSS mechanisms which each negotiate
cryptographic algorithms -> suboptimal [_three_ negotiation layers!].)
and
2) do negotiation inside one channel like TLS rather than forcing up it
up a layer because it's a lot easier to get the details right in one
place than in many.
For IPsec the negotiation belongs in IKE, naturally. For https: the
negotiation belongs in TLS.
ASIDE: Some are fond of pointing to JWS or x.509 and laughing, but those
are not channels and so algorithm agility for them is relevant
only at the margins for a TLS.
Nico
--
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]