From owner-freebsd-security@FreeBSD.ORG Sat Sep 6 07:28:44 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B99D6F30 for ; Sat, 6 Sep 2014 07:28:44 +0000 (UTC) Received: from mail.carlostrub.ch (319.ch [88.198.108.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7824D1F15 for ; Sat, 6 Sep 2014 07:28:43 +0000 (UTC) Received: from c-st.net (localhost [127.0.0.1]) (Authenticated sender: cs@carlostrub.ch) by mail.carlostrub.ch (Postfix) with ESMTPA id 6069A1B508E; Sat, 6 Sep 2014 09:28:34 +0200 (CEST) Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: deprecating old ciphers from OpenCrypto... X-Powered-BY: OTRS - Open Ticket Request System (http://otrs.org/) X-Mailer: OTRS Mail Service (3.3.7) Date: Sat, 6 Sep 2014 09:28:33 +0200 Message-ID: <1409988513.269561.213256043.136342.2@c-st.net> To: jmg@funkthat.com Organization: Carlo Strub From: Carlo Strub In-Reply-To: <20140905222559.GO82175@funkthat.com> References: <20140905222559.GO82175@funkthat.com> Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2014 07:28:44 -0000 06/09/2014 00:26 - John-Mark Gurney wrote: > As I've been working on OpenCrypto, I've noticed that we have some > ciphers that OpenBSD does not... As we haven't had a maintainer for > the code, no one has been evaluating which ciphers should be included... >=20 > I would like to document the following ciphers as depcreated in 11, and > remove them for 12: > Skipjack: already removed by OpenBSD and recommend not for use by NIST > after 2010, key size is 80 bits > CAST: key size is 40 to 128 bits >=20 > As you can see, both of these ciphers weak and we should not encourage > their use. Their removal from OpenCrypto will practically only remove > them from their use w/ IPSec. Most other systems are userland and will > use OpenSSL which is different. >=20 > It would be possible for parties that need support to make them a > module, but right now, if you compile in crypto into your kernel, you > get all of these ciphers... >=20 > Comments? >=20 > Thanks. >=20 > --=20 > John-Mark Gurney Voice: +1 415 225 5579 >=20 > "All that I will do, has been done, All that I have, has not." > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 Sounds reasonable.=