> Would it help to augment the existing warning text cited by Vijay with some _examples_ of published attacks / weaknesses for some of the algorithms ?
How does that not run into the same concern about being taken as a comprehensive warning? Is “For example, …” considered that much less compelling? As for examples, just read the titles in the proposed security references section.
> IIUC the concern with the proposed text is that it might give the impression we're providing exhaustive, up-to-date advice and that we have some agreed yardstick by which to measure whether a given algorithm should get a thumbs up or thumbs down.
There will never be exhaustive, up-to-date advice. Given that truism, what do you do? That’s a real question. And as for the yardstick, you’ve got a list of open references, and the original CFRG/Paterson et al email message gave a summary.
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz