[Pkg-swan-devel] Bug#803787: Bug#803787: [strongswan] Enable post-quantum algorithms

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Tue Nov 3 15:56:00 UTC 2015


On Mon, Nov 02, 2015 at 09:06:38PM +0100, Yves-Alexis Perez wrote:
> On lun., 2015-11-02 at 20:36 +0100, Nicolas Braud-Santoni wrote:
> > The NTRU and BLISS post-quantum cryptosystems are available in strongswan
> > (releases 5.1.2 and 5.2.2, respectively).
> There's a lot of stuff available in strongSwan. We don't actually enable
> everything, on purpose.

Post-quantum key-exchange, as provided by NTRU, is needed by users who want to provide
forward-secrecy in the mid/long-term, given that quantum computers might become a legitimate
threat within the next 5 or 10 years (and we are aware that some people do collect and save
traffic for later cryptanalysis).

BLISS, while potentially nice-to-have, is (in my opinion) less of an immediate concern given the
unlikelyhood of the signature schemes currently-available in strongswan being broken.  The
difference here being that migrating to safer signature scheme might happen as needed (modulo the
time required to deploy new configuration), whereas future threat against the encryption
(including key-exchange) threaten the forward-secrecy of traffic being currently exchanged.

> Point release update won't happen. I can't talk about backports, I'm not
> interested in them right now.

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20151103/e07f1ae1/attachment.sig>

More information about the Pkg-swan-devel mailing list