algorithm recommendations and use cases from Mete Balcı on 2013-11-13 (public-webcrypto@w3.org from November 2013)

From: Mete Balcı <Mete.Balci@pozitron.com>
Date: Wed, 13 Nov 2013 14:26:23 +0000
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <bf9486a564bd4a8a84baa35b5183c309@Handel.pozitron.com>

Hello all,

Maybe a little bit late for this feedback, but I want to write these down before the WG meeting:

I believe the recommended algorithms section should include HMAC-SHA1 also. Because, at least, a widely used One Time Password (OTP) standard (I can provide references if needed but a well-known open source one is Google Authenticator, https://code.google.com/p/google-authenticator/) by OATH (http://www.openauthentication.org/) directly depends on it. (RFC 4226 and RFC6238) I also would normally expect PBKDF2 and all SHA variants are also recommended algos., since I believe they are very widely used.

I dont know how much it is important but this part in use cases document sounds misleading to me: “KEYEX, the ability for two entities to exchange key(s) without interception by a third party, with KEYEX-DH representing Diffie-Hellman key exchange, a common application of safe key exchange.” Because, AFAIK, DH alone is not good/sufficient for a proper/safe key exchange, because of no authentication.

Thanks,

Mete

________________________________

Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına gönderemez veya hiçbir şekilde kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz ve göndereni uyarınız. Gönderen ve POZITRON YAZILIM A.Ş., bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunamamasından, virüs içermesinden ve sisteminizde yaratabileceği zararlardan Şirketimiz sorumlu tutulamaz.

This e-mail and its attachments are private and confidential to the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient, you may not copy, forward, send or use any part of it. If you are not the intended recipient or the person who is responsible to transmit to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the accuracy, currency, integrity or correctness of the information in the message and its attachments. POZITRON YAZILIM A.S. shall have no liability with regard to the information contained in the message, its transmission, reception, storage, preservation of confidentiality, viruses or any damages caused in anyway to your computer system.

Received on Wednesday, 13 November 2013 14:26:57 UTC