Re: ISSUE-128: Strong / weak algorithms? [Techniques] from Yngve N. Pettersen (Developer Opera Software ASA) on 2007-10-17 (public-wsc-wg@w3.org from October 2007)

From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
Date: Wed, 17 Oct 2007 13:25:10 +0200
To: "Luis Barriga" <luis.barriga@ericsson.com>, michael.mccormick@wellsfargo.com, Anil.Saldhana@redhat.com, public-wsc-wg@w3.org
Message-ID: <op.t0b9z8ojqrq7tp@nimisha.invalid.invalid>
Any reason why the result of ACTION-285 doesn't suffice?

http://www.w3.org/2006/WSC/track/actions/285
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html

On Wed, 17 Oct 2007 13:06:50 +0200, Luis Barriga  
<luis.barriga@ericsson.com> wrote:

>
> FIPS main audience is *crypto* implementors. It seems too low level and
> thus doesn't seem to be the primary document to refer to.
>
> We need to refer to some authoritative document(s) recommending TLS
> suites to web site *security* administrators so they can decide which
> ones to enable/disable when deploying TLS-enabled web sites. I don't
> think administrators would get that much help digging into FIPS.
>
> NIST has such document, but as I mentioned in is for govermental use,
> which excludes RC4, that as far as I know (?) is widely deployed due to
> its high performance.
>
> Luis
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of michael.mccormick@wellsfargo.com
> Sent: den 17 oktober 2007 00:02
> To: Anil.Saldhana@redhat.com; public-wsc-wg@w3.org
> Subject: RE: ISSUE-128: Strong / weak algorithms? [Techniques]
>
>
> It might be better in a W3C standard to reference the international
> equivalents of FIPS 140.
>
> The FIPS 140-1 equivalent is ISO/IEC FCD 19790 "Security requirements
> for cryptographic modules".
>
> Last I heard, FIPS 140-2 was the US input document to an NP recently
> approved by CS1.  At that time it had not yet been assigned an ISO/IEC
> number, but maybe that has changed.
>
> Mike
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> On Behalf Of Anil Saldhana
> Sent: Tuesday, October 16, 2007 3:08 PM
> To: Web Security Context Working Group WG
> Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]
>
>
> FIPS 140-2 is the defining standard for cryptology (at least in the US).
>
> Maybe we can use that as the frame of reference in the rec doc?
>
> Doyle, Bill wrote:
>> A number of standards bodies that we can point to that note
>> recommended strengths.
>>
>> In the US the National Institute of Standards and Technology (NIST)
>> provides the clearing house for recommended practices. Systems could
>> follow Federal Information Processing Standards (FIPS) or FIPS 140-2
>>
>> http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
>>
>>     *From:* public-wsc-wg-request@w3.org
>>     [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Hallam-Baker,
>>     Phillip
>>     *Sent:* Tuesday, October 16, 2007 11:33 AM
>>     *To:* Thomas Roessler
>>     *Cc:* Luis Barriga; Web Security Context Working Group WG
>>     *Subject:* RE: ISSUE-128: Strong / weak algorithms? [Techniques]
>>
>>     I would prefer not to make a recommendation here since it is not a
>>     document that I would want to keep continuously updated.
>>
>>     There is a strong industry consensus here and what we need to do
>>     is to ensure that it is widely recognized as such and have a
>>     mechanism to alert people when the consensus changes (e.g. the new
>>     results on SHA-1).
>>
>>     *From:* Thomas Roessler [mailto:tlr@w3.org]
>>     *Sent:* Tue 16/10/2007 4:08 AM
>>     *To:* Hallam-Baker, Phillip
>>     *Cc:* Luis Barriga; Web Security Context Working Group WG
>>     *Subject:* Re: ISSUE-128: Strong / weak algorithms? [Techniques]
>>
>>     On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:
>>
>>     > I don't think we should write an exhaustive list olf strong
>>     > ciphers. The most we should do is to note that there is a set of
>>     > ciphers that the consensus recognizes as being acceptably strong
>>     > which should be supported.
>>
>>     I'd rather we either reference some known-authoritative document
>>     that is being maintained elsewhere (because I don't see us taking
> on
>>     that kind of document maintenance role for this particular
> problem).
>>
>>     The second-best approach might be to say "these are known bad
> [REF]
>>     [REF] [REF], for the rest, please do your due diligence."
>>
>>     Regards,
>>     --
>>     Thomas Roessler, W3C  <tlr@w3.org>
>>
>
> --
> Anil Saldhana
> Project/Technical Lead,
> JBoss Security & Identity Management
> JBoss, A division of Red Hat Inc.
> http://labs.jboss.com/portal/jbosssecurity/
>
>
>
>
>



-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Wednesday, 17 October 2007 11:25:49 UTC