RE: ISSUE-128: Strong / weak algorithms? [Techniques] from Hallam-Baker, Phillip on 2007-10-16 (public-wsc-wg@w3.org from October 2007)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 16 Oct 2007 08:32:50 -0700
To: "Thomas Roessler" <tlr@w3.org>
Cc: "Luis Barriga" <luis.barriga@ericsson.com>, "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <2788466ED3E31C418E9ACC5C31661557084EC8@mou1wnexmb09.vcorp.ad.vrsn.com>

I would prefer not to make a recommendation here since it is not a document that I would want to keep continuously updated.

There is a strong industry consensus here and what we need to do is to ensure that it is widely recognized as such and have a mechanism to alert people when the consensus changes (e.g. the new results on SHA-1).

________________________________

From: Thomas Roessler [mailto:tlr@w3.org]
Sent: Tue 16/10/2007 4:08 AM
To: Hallam-Baker, Phillip
Cc: Luis Barriga; Web Security Context Working Group WG
Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]

On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:

> I don't think we should write an exhaustive list olf strong
> ciphers. The most we should do is to note that there is a set of
> ciphers that the consensus recognizes as being acceptably strong
> which should be supported.

I'd rather we either reference some known-authoritative document
that is being maintained elsewhere (because I don't see us taking on
that kind of document maintenance role for this particular problem).

The second-best approach might be to say "these are known bad [REF]
[REF] [REF], for the rest, please do your due diligence."

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 16 October 2007 15:35:22 UTC