- From: Richard L. Barnes <rbarnes@bbn.com>
- Date: Mon, 16 Jul 2012 18:42:14 -0400
- To: Wan-Teh Chang <wtc@google.com>
- Cc: David Rogers <david.rogers@copperhorses.com>, public-webcrypto@w3.org, S.Durbha@cablelabs.com
Meta-suggestion here: It would be really good for this list to have a high degree of overlap with the JOSE algorithms. <http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms> There's more text in the JWA document, but I like Wan-Teh's approach a little better. It's good to have requirements to tie the algorithms back to. For 3: My impression is that it would be marginally safer to use RSAES-OAEP, and it is pretty widely implemented. --Richard On Jul 16, 2012, at 6:35 PM, Wan-Teh Chang wrote: > Hi David, > > Thank you for sending your proposal. I agree with your selection > criteria in general. I have some comments. > > 1. The 1536-bit key size for Diffie-Hellman, DSA, and RSA keys doesn't > seem useful in practice. In addition, FIPS 186-3, which extends DSA > to support key sizes greater than 1024 bits, does not specify a DSA > key size of 1536 bits. > > 2. SHA-384 seems more useful than SHA-512 because of the US NSA "Suite > B" specification. > > 3. By "RSAES", did you mean RSAES-OAEP, RSAES-PKCS1-V1_5, or both? > Similarly for "RSASSA". > > 4. Do you think the HMAC-based KDF (HKDF), specified in RFC 5869, > would be more appropriate than the NIST concatenation KDF? It seems > that the concatenation KDF never became popular in practice. > > Wan-Teh >
Received on Monday, 16 July 2012 22:42:44 UTC