[wepple]

Perhaps the meta-message here is that you absolutely have to design for cryptographic agility.

You may not need to jump to the next best thing every 3 years, but as certain constructs are proven weak, you’ll need to start migrating systems and data off of them to modern equivalents.

[tatersolid]

> you absolutely have to design for cryptographic agility

Yes, but for heaven’s sake don’t design something with “cipher suite negotiation” which has been an endless source of vulnerability over the years in SSL/TLS, IPsec, PGP…

Instead one should advance the version of the entire protocol or file format when you need to upgrade the cryptography. Then you deprecate old versions as quickly as possible. WireGuard and age have no algorithm negotiation at all.

[nmadden]

The best way to do cryptographic agility is to associate the algorithm with the key and negotiate keys (from a given set) only. Google’s Tink library does this very well. See https://neilmadden.blog/2018/09/30/key-driven-cryptographic-... for some more background. Version numbers are just algorithm identifiers in another form.

[lifthrasiir]

In the other words, you only need cryptographic evolvability, not agility.

[wepple]

Yeah, very very important point