deprecating old ciphers from OpenCrypto...
Carlo Strub
cs at FreeBSD.org
Sat Sep 6 07:28:44 UTC 2014
06/09/2014 00:26 - John-Mark Gurney wrote:
> As I've been working on OpenCrypto, I've noticed that we have some
> ciphers that OpenBSD does not... As we haven't had a maintainer for
> the code, no one has been evaluating which ciphers should be included...
>
> I would like to document the following ciphers as depcreated in 11, and
> remove them for 12:
> Skipjack: already removed by OpenBSD and recommend not for use by NIST
> after 2010, key size is 80 bits
> CAST: key size is 40 to 128 bits
>
> As you can see, both of these ciphers weak and we should not encourage
> their use. Their removal from OpenCrypto will practically only remove
> them from their use w/ IPSec. Most other systems are userland and will
> use OpenSSL which is different.
>
> It would be possible for parties that need support to make them a
> module, but right now, if you compile in crypto into your kernel, you
> get all of these ciphers...
>
> Comments?
>
> Thanks.
>
> --
> John-Mark Gurney Voice: +1 415 225 5579
>
> "All that I will do, has been done, All that I have, has not."
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
Sounds reasonable.
More information about the freebsd-security
mailing list