- From: Salz, Rich <rsalz@akamai.com>
- Date: Mon, 5 May 2014 10:03:38 -0400
- To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
The WG clearly had some metric for choosing beyond just widely available in browsers; why aren't RC4, DES and 3DES in the spec? Nobody is expecting the WG to keep abreast of all cryptographic research, but when people like Kenny You got advice in LC (and well before, from Kenny Paterson), that there are problems with the algorithms you did include; http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Apr/0003.html No one is expecting an all-volunteer group to keep abreast of all cryptographic research, but that's not what was being suggested or asked for. You asked for comments, and experts (like Kenny, Russ, and Stephen; not me) responded. My brief note suggested one possible way forward, by providing a read-only interface. Or, as I alluded to, add a "WeakCrypto" interface and put the encryption and signing methods for the weak and broken algorithms there. How do you know what to put there? You already got world-class advice in the thread I referenced above. Please listen to them. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rsalz@jabber.me; Twitter: RichSalz
Received on Monday, 5 May 2014 14:04:08 UTC