Hello, I would like to inquire as to which OpenBSD RELEASE will offer the possibility to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, https, nginx being the key items in mind)?
BTW, looks like things are heading in the right direction (http://www.slideshare.net/yandex/rubsd2013-mikeben) As it stands, there is currently cipher-suite negotiation / configuration coded into every single crypto-enabled tool / daemon and its a bit of a mess and a headache to manage it all. Would it be good to start to think about having a single, system-wide cipher-suite negotiation configuration and socket? interface and removing all this mess from things like isakmpd, openssh, openssl, httpd, nginx, etc? For example, one could specify a preferred ordered list of cipher suites and ones that arent listed would be completely avoided at the system level. This could, for example, eliminate static algorithm configuration in ipsec.conf and instead start negotiation traveling down the ordered list until either success or end of list. This method would provide an abstract interface to avoid future version downgrade attacks, i.e. no need to update anything other than the configuration file. And, of course, the autocipher engine would be powered by libsodium (NaCl). Thoughts, comments, insults, etc, are all welcome! The quantum computer is coming soon to a theatre near you. -mike
