On Thu, Jan 16, 2014 at 01:24:09PM +0200, MJ wrote: > Hello, > > I would like to inquire as to which OpenBSD RELEASE will offer the possibility > to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, https, > nginx being the key items in mind)?
Hi MJ, Base must be interoperable with other systems of course, and for some time that will require TLS unfortunately. Aside from that though, the upcoming OpenBSD release, 5.5, will be a landmark for strong crypto. Look here for strings like "25519", "signify", and "chacha" http://www.openbsd.org/plus.html As for your point, there's a lot of interest in and support for NaCl. For example, Curve25519 is now in a bunch of stuff like OpenSSH, Tor, Chromium and DNSCurve. Salsa20 and ChaCha20 are getting big. It's happening. Now that people are more focused on using crypto that actually protects them and their data/privacy, I think there may be a "choice" looming where the IETF either adopts strong crypto, or people move beyond such standards groups in favor of a bottom-up approach. (This is already beginning to happen.) I think certain standards groups have become way too comfortable and don't serve a common good. > Thoughts, comments, insults, etc, are all welcome! Things are moving in the right direction! The last six months have seen MAJOR improvements in crypto. If you want to be a part of it, pick up DNSCrypt or DNSCurve. Get a recent Chromium and play with QUIC. Read about MinimaLT. Strong, fast encryption is coming. And I think OpenBSD 5.5 will be light years ahead when it's released in May. Nicolai
