RE: ISSUE-128: Strong / weak algorithms? [Techniques]

A number of standards bodies that we can point to that note recommended
strengths.
 
In the US the National Institute of Standards and Technology (NIST)
provides the clearing house for recommended practices. Systems could
follow Federal Information Processing Standards (FIPS) or FIPS 140-2
 
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Hallam-Baker,
Phillip
	Sent: Tuesday, October 16, 2007 11:33 AM
	To: Thomas Roessler
	Cc: Luis Barriga; Web Security Context Working Group WG
	Subject: RE: ISSUE-128: Strong / weak algorithms? [Techniques]
	
	
	I would prefer not to make a recommendation here since it is
not a document that I would want to keep continuously updated.
	 
	There is a strong industry consensus here and what we need to
do is to ensure that it is widely recognized as such and have a
mechanism to alert people when the consensus changes (e.g. the new
results on SHA-1).

________________________________

	From: Thomas Roessler [mailto:tlr@w3.org]
	Sent: Tue 16/10/2007 4:08 AM
	To: Hallam-Baker, Phillip
	Cc: Luis Barriga; Web Security Context Working Group WG
	Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]
	
	

	On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:
	
	> I don't think we should write an exhaustive list olf strong
	> ciphers. The most we should do is to note that there is a set
of
	> ciphers that the consensus recognizes as being acceptably
strong
	> which should be supported.
	
	I'd rather we either reference some known-authoritative
document
	that is being maintained elsewhere (because I don't see us
taking on
	that kind of document maintenance role for this particular
problem).
	
	The second-best approach might be to say "these are known bad
[REF]
	[REF] [REF], for the rest, please do your due diligence."
	
	Regards,
	--
	Thomas Roessler, W3C  <tlr@w3.org>