From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 2195 invoked from network); 4 Jun 2022 14:49:21 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 4 Jun 2022 14:49:21 -0000 Received: from mimir.eigenstate.org ([206.124.132.107]) by 9front; Sat Jun 4 10:47:41 -0400 2022 Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id b478e26c (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9front@9front.org>; Sat, 4 Jun 2022 07:47:29 -0700 (PDT) Message-ID: <8DCF165E26E87FA681256EFA7DDFDE8E@eigenstate.org> To: 9front@9front.org Date: Sat, 04 Jun 2022 10:47:28 -0400 From: ori@eigenstate.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: secure software proxy STM generator Subject: Re: [9front] obsolete cryptographic algorithms Reply-To: 9front@9front.org Precedence: bulk Quoth sml : > > In the list I keep reading about different cleanups, which I greatly appreciate and I'm wondering whether the deprecated crypto algorithms and protocols can be cleaned out as well, or if there is a specific reason to hold on to them. I think if you use very weak crypto, you can do without it directly. Protocols still use them. For example, grepping for md5 in /sys/src/cmd/auth, it's used in: - HTTPDIGEST (RFC2517) - SecurID RADIUS - CRAM digests - Secstore MAC Of these, it seems that the only one we fully control is the secstore protocol -- patches welcome, though it may be better to kill secstore entirely. For the others: what external software implements them, and what other protocols are supported? To remove them, someone is going to need to go through protocol by protocol and implement updates, or show that they are unused.