From owner-freebsd-security@FreeBSD.ORG  Sun Sep  7 14:01:06 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 72017A28
 for <freebsd-security@FreeBSD.org>; Sun,  7 Sep 2014 14:01:06 +0000 (UTC)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4A7F81A7C
 for <freebsd-security@FreeBSD.org>; Sun,  7 Sep 2014 14:01:05 +0000 (UTC)
Received: from [10.20.30.90] (142-254-17-22.dsl.dynamic.fusionbroadband.com
 [142.254.17.22]) (authenticated bits=0)
 by proper.com (8.14.9/8.14.7) with ESMTP id s87E0uaI083809
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
 Sun, 7 Sep 2014 07:00:58 -0700 (MST)
 (envelope-from phoffman@proper.com)
X-Authentication-Warning: proper.com: Host
 142-254-17-22.dsl.dynamic.fusionbroadband.com [142.254.17.22] claimed to be
 [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: deprecating old ciphers from OpenCrypto...
From: Paul Hoffman <phoffman@proper.com>
In-Reply-To: <20140905222559.GO82175@funkthat.com>
Date: Sun, 7 Sep 2014 07:00:55 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <68CF8E05-735F-48D4-9030-A213C09C54F3@proper.com>
References: <20140905222559.GO82175@funkthat.com>
To: John-Mark Gurney <jmg@funkthat.com>
X-Mailer: Apple Mail (2.1878.6)
Cc: freebsd-security@FreeBSD.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Sep 2014 14:01:06 -0000

On Sep 5, 2014, at 3:25 PM, John-Mark Gurney <jmg@funkthat.com> wrote:

> Skipjack: already removed by OpenBSD and recommend not for use by NIST
> 	after 2010, key size is 80 bits

Yes, nuke.

> CAST: key size is 40 to 128 bits

CAST 128 is not weak. Having said that, it is also not used much, and =
has minor (if any) value over AES-128. I can't tell from your message if =
you are leaving CAST >128 in; if so, you should leave CAST 128 in as =
well. If CAST 128 is the max in the module, you can either remove all of =
CAST or leave CAST 128 in, it doesn't matter.

--Paul Hoffman=