[RenThraysk]

Imagine there is a break in a cryptographic algorithm, say AES256-CBC. Now can I replace it in my messaging app, without having to coordinate with every other messaging app provider? Suddenly governments have a lever to prevent adoption of securer standards.

[viccuad]

Why wouldn't you be able to bump the API of your messaging app? Sounds orthogonal to me. You are required to publish a working and open API. You are doing it. They can consume the new API with the new default cypher.

[RenThraysk]

So no guarantee of interoperability.

[viccuad]

> So no guarantee of interoperability.

Why not? Can you come up with examples? Are you worried that they would use automation to generate a new "API" per second, so consumers would need to play catch-up? Do you think that would hold in court, if/when this initiative has been legislated?

[RenThraysk]

A messenger just refuses to upgrade. So Alice who was sending Bob messages with no problem yesterday, today breaks. So back to having to use the same messenger.

[viccuad]

> A messenger refuses to upgrade.

Well yes, if a messenger refuses to upgrade and consume a working API, it will not consume much. This law is not about forcing all messengers to interoperate with the infinite messengers out there. This law is about forcing those with capitalisation of ~7 billion to provide a sane endpoint.

[SAI_Peregrinus]

AES256-CBC is already not IND-CCA secure, FYI.