On Fri, Sep 22, 2006 at 12:53:42AM +0200, Hai Zaar wrote: > On 9/22/06, Nicolas Williams <Nicolas.Williams@xxxxxxx> wrote: > >BTW, the whole concept of absolute security strength factors is broken. > > > >After all, the relative strengths of ciphers, hashes, MACs, assymertic > >cryptographic algorithms (RSA, DH, etc...) and cryptographic protocols > >built on them are variable over time. And some constructions can be > >much stronger than the individual components used to build them. > > > >IMO the right way to design an API for expressing and enforcing policy > >relating to the strength of cryptographic systems used, and in the face > >of pluggable frameworks, is to provide for rules-based profiles that > >applications and libraries refer to by name, and which mechanisms simply > >evaluate. > > > >Then administrators can write profiles that express the policies that > >they want. > This is a very interesting point. > You probably should point this out at SASL ietf mailing list: > http://www.imc.org/ietf-sasl Maybe. I've already made this point somewhere in IETF meetings or mailing lists. When I get the time I may even write an Internet-Draft about this.
