Suggested is better than recommended, but I would still prefer to see something like “suggest these be provided by implementations” or something, and not necessarily suggested for use.
Perhaps I am just being thick-headed or stubborn, but I still don’t understand the objection to warning developers away from certain mechanisms. That advice is incomplete, but it’s not wrong and it’s not going to get outdated. At some point soon, someone will want to register Curve25519/Ed25519 for use, which is the whole point of registration, right? It’s a point-in-time statement. So are attacks and weaknesses. “It gets better” to mis-use a phrase.
I’m away this week (IETF TLS WG), but if someone thinks talking would help enlighten me, that’s fine.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz
Received on Thursday, 15 May 2014 14:06:20 UTC