RE: ISSUE-128: Strong / weak algorithms? [Techniques] from Hallam-Baker, Phillip on 2007-10-16 (public-wsc-wg@w3.org from October 2007)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Mon, 15 Oct 2007 20:26:04 -0700
To: "Luis Barriga" <luis.barriga@ericsson.com>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <2788466ED3E31C418E9ACC5C31661557084EC4@mou1wnexmb09.vcorp.ad.vrsn.com>

IDEA is not currently well thought of, can't remember if it is definitively broken but its certainly no longer A list.
 
RC4 is a somewhat problematic cipher. It has to be done just right. The TLS implementation is considered good, others (e.g. WEP) are broken. But its still a stream cipher and much less robust in use than a good block cipher. 
 
I don't think we should write an exhaustive list olf strong ciphers. The most we should do is to note that there is a set of ciphers that the consensus recognizes as being acceptably strong which should be supported.

________________________________

From: public-wsc-wg-request@w3.org on behalf of Luis Barriga
Sent: Thu 11/10/2007 10:02 AM
To: Web Security Context Working Group WG
Subject: RE: ISSUE-128: Strong / weak algorithms? [Techniques]



NIST has an online PDF document dated 2005:
"Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations"
http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf

At the end they have a table of recommended TLS server cypher suites
that I took a snapshot and attach herewith. I think that we could
consider the as "strong suites" (=combination of publi key + symmetric
key + key lengths).

One problem is that the selection criteria includes only FIPS-approved
algorithms (a requirements for governmental use) which excludes RC4 and
IDEA which can be cryptographically strong too.

Luis
-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Web Security Context Working Group Issue Tracker
Sent: den 11 oktober 2007 13:48
To: public-wsc-wg@w3.org
Subject: ISSUE-128: Strong / weak algorithms? [Techniques]



ISSUE-128: Strong / weak algorithms? [Techniques]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Thomas Roessler
On product: Techniques

The current text includes a placeholder for strong TLS alorithms,
intended to be filled by reference.  What do we put there?

http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#strong-algos

Received on Tuesday, 16 October 2007 03:30:30 UTC