> Would it help to augment the existing warning text cited by Vijay with some _examples_ of published attacks / weaknesses for some of the algorithms ? How does that not run into the same concern about being taken as a comprehensive warning? Is “For example, …” considered that much less compelling? As for examples, just read the titles in the proposed security references section. > IIUC the concern with the proposed text is that it might give the impression we're providing exhaustive, up-to-date advice and that we have some agreed yardstick by which to measure whether a given algorithm should get a thumbs up or thumbs down. There will never be exhaustive, up-to-date advice. Given that truism, what do you do? That’s a real question. And as for the yardstick, you’ve got a list of open references, and the original CFRG/Paterson et al email message gave a summary. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz
Received on Tuesday, 13 May 2014 15:00:49 UTC