- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 09 Sep 2013 18:28:52 +0200
- To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
When we first started the Crypto API, we assumed cryptography was going to be fairly stable in at least the short-term. However, the topic of new developments around RSA [1] and now NSA influence on standards bodies [2] has the possibility of leading some instability in recommended algorithms and algorithms in general. In particular, we can imagine various people legitimately wanting custom ECC curves for example. How does this change the spec? Not much, but I'd suggest the two points: 1) Right now we recommend • RSASSA-PKCS1-v1_5 using SHA-1 • AES-CBC Given latest developments, I and some others at W3C would prefer to remove "AES-CBC" but keep RSASSA-PKCS1-v1_5 using SHA-1. 2) The topic of a registry led to massive debates before. I think it seemed that the one reason was the administrative overhead of IANA. In particular, we can imagine various people wanting custom ECC curves for example. It seems like a wiki is too lightweight, but we could either have the WebCrypto WG (and W3C staff, with help of a public mailing list) maintain a web-page after the end of the life of the WG. The spec could then point to the web-page and then warn about the lack of RFF policy and lack of interoperability testing. Any opinions? cheers, harry [1]http://www.slideshare.net/astamos/bh-slides [2]http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
Received on Monday, 9 September 2013 16:29:00 UTC