- From: Martin Thomson <notifications@github.com>
- Date: Sun, 15 Feb 2026 14:31:27 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/1190/3905301519@github.com>
martinthomson left a comment (w3ctag/design-reviews#1190) I found some of the advice misleading, both in detail and in structure. A source of inaccurate information on cryptography that purports to be reliable, from a trusted/trustworthy source might lead people to act on a false belief of accuracy. Problems in the deployment of cryptography tend to be more serious than other problems. As an example of the structural problems, there is no mention of the tools that we recommend most people use. Things like TLS and SSH (and more recently, MLS) are at a level that the document fails to engage with. The relatively low level of the things that are covered is usually reserved for trained practitioners, who are able to reason about cryptographic properties like IND-CCA or EUF-CMA or discuss the value of FO or Feistel or Fiat-Shamir. These are all basics on the same level as the material in the document, but not given any mention. At the level that this document operates, a brief note suggesting that people use composed protocols (TLS, SSH, etc..) rather than try to use cryptographic primitives would be far more useful. If the goal is to help give a grounding in the use of those tools, I'd suggest finding a good school. These are not skills that can be taught by a short document like this. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1190#issuecomment-3905301519 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1190/3905301519@github.com>
Received on Sunday, 15 February 2026 22:31:30 UTC