[noise] Versioning (was Re: Noise Certificates?)

[Tony Arcieri]

On Tue, Jul 29, 2014 at 7:10 PM, Trevor Perrin <trevp at trevp.net> wrote:

> I think having *version* negotiation for an entire protocol is useful,
> so you can migrate to new versions which might include any change.
> I've been assuming that would be handled outside the noise core, i.e.
> the client might prefix its first message with a version number or
> something.
>
> But arguably we should do more to support versioning.  It would be
> good if anyone trying to create a "real" protocol around this could
> think about this and see what would work for them.


+1 to versioning. Arguably this (i.e. cipher agility) doesn't happen very
often. We may have just seen it with the move from RC4 -> AES-GCM, but even
that was something of an oddity as it was precipitated by a move from AES
-> RC4 due to TLS's lack of a Noise Box-like primitive and attacks like
BEAST (so use an authenticated stream cipher and call it good?).

All that said, I would strongly be in favor of Noise having some mechanism
for the server to signal the client that they're using a vulnerable
protocol and that connections for the version they're attempting to use are
unacceptable and they should upgrade.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140729/7a55395d/attachment.html>