wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: Vivien Malerba <vmalerba@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Future changes in crypto algorithms
Date: Mon, 18 Jun 2018 14:08:08 +0200	[thread overview]
Message-ID: <CAEP1ZN=6aqe3B1sJNhDfB5c86emK+Gk2YJ9d-GaVVYuRzeXYGA@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

Hi!
My understanding is that the crypto algorithms have been carefully chosen
to avoid having to include ciphers negotiations; with the assumption that
in case a weakness is ever found in one of them, the faulty algorithms will
be "replaced" and all people will have to do is update (the white paper
says "If holes are found in the underlying primitives, all endpoints will
be required to update").

However, for any organization which will use WireGuard, even if admins are
very effective at applying updates, updating all the endpoint systems
simultaneously is not realistic. At the same time, it may be the case that
the organization can't afford the downtime, in which case using WireGuard
will simply not be an option, which is too bad.

Maybe it's too early to think about this at the time, but otherwise I think
including a mechanism which would instruct the system as "for now, use the
new algorithms but still allow for the old ones if the new ones fail while
I update all the endpoints" would answer the problem.

Don't know how to implement that correctly though, but I just wanted to
bring that point to attention.

Best regards,
Vivien

[-- Attachment #2: Type: text/html, Size: 2191 bytes --]

             reply	other threads:[~2018-06-18 12:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-18 12:08 Vivien Malerba [this message]
2018-06-21 22:58 ` Future changes in crypto algorithms Phil Hofer
2018-06-22  4:44 ` Matthias Urlichs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAEP1ZN=6aqe3B1sJNhDfB5c86emK+Gk2YJ9d-GaVVYuRzeXYGA@mail.gmail.com' \
    --to=vmalerba@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).