RE: "Recommended" is a bad word :) from GALINDO Virginie on 2014-05-13 (public-webcrypto-comments@w3.org from May 2014)

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Tue, 13 May 2014 17:18:59 +0200
To: "Salz, Rich" <rsalz@akamai.com>, Mark Watson <watsonm@netflix.com>, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <239D7A53E5B17B4BB20795A7977613A4022CD8595EC5@CROEXCFWP04.gemalto.com>

Hi all,

It seems to me that you are kind of getting on the same direction. Text can be improved, explicitly mentioning there are risks, but cannot be exaustive. Discussion should now focus on text proposal.
What should we add to the existing text to make it more accurate ?
Example sounds like a good option (if we cannot agree on what means weak, we can agree on what means example).

Virginie

From: Salz, Rich [mailto:rsalz@akamai.com]
Sent: mardi 13 mai 2014 17:00
To: Mark Watson
Cc: Vijay Bharadwaj; public-webcrypto-comments@w3.org
Subject: RE: "Recommended" is a bad word :)

> Would it help to augment the existing warning text cited by Vijay with some _examples_ of published attacks / weaknesses for some of the algorithms ?

How does that not run into the same concern about being taken as a comprehensive warning?  Is “For example, …” considered that much less compelling? As for examples, just read the titles in the proposed security references section.

> IIUC the concern with the proposed text is that it might give the impression we're providing exhaustive, up-to-date advice and that we have some agreed yardstick by which to measure whether a given algorithm should get a thumbs up or thumbs down.

There will never be exhaustive, up-to-date advice. Given that truism, what do you do?  That’s a real question. And as for the yardstick, you’ve got a list of open references, and the original CFRG/Paterson et al email message gave a summary.

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Received on Tuesday, 13 May 2014 15:19:34 UTC