[01:59] <blahdeblah> Any of you fine security folks know of any crypto research which might indicate that chacha20-poly1305 might be showing signs of weakness?  AWS removed it from their latest SFTP security policy, and they didn't announce it or explain why. https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html#cryptographic-algorithms
[02:00] <sarnold> yikes
[02:00] <sarnold> this is news to me
[02:10] <blahdeblah> I contacted their docs folks and they said it wasn't deprecated, but didn't reply when I pointed out that it was removed from their latest policy.
[02:11] <blahdeblah> I wonder whether there is some embargoed research out there that's going to drop soon...
[02:11] <blahdeblah> But you'd think between March and now something would have happened if that were the case.
[02:13] <sarnold> maaaaaaaybe; some of the processor flaws have taken two years or something to be made public
[02:13] <blahdeblah> I would also have thought that the OpenSSH folks would be keen to make it public quickly if there wre an important flaw...
[02:14] <sarnold> depending upon what might have hypothetically been discovered, it might take a *long* time for the huge enterprises to pivot; we get launchpad bugs on some openssl3 things that busted interop with VPN devices that haven't fixed a 2009 CVE yet..
[02:14] <sarnold> hah
[02:14] <sarnold> you're very familiar with openssh folks I see :)
[02:15] <blahdeblah> (no, just making assumptions)
[02:15] <blahdeblah> Anyway, I'll leave it in your capable hands, sarnold.  Might be nothing, who knows?
[02:15] <sarnold> I also assume that if Someone found something Important and wanted to spend a few months coordinating something, they would *not* talk with the openssh folks until about two hours before the CRD
[02:15] <blahdeblah> haha