- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 11 Sep 2013 10:36:43 +0200
- To: Ryan Sleevi <sleevi@google.com>
- Cc: public-webcrypto@w3.org
Received on Wednesday, 11 September 2013 08:36:46 UTC
On 2013-09-10, at 22:27 +0200, Ryan Sleevi <sleevi@google.com> wrote: > The issue is not convincing me, or anyone, that AES-CBC without integrity is bad - that's obvious to anyone familiar with basic cryptographic constructions, much in the same way using AES-ECB beyond a block sizes' worth of data (eg: the AES-KW case) or using AES-CTR without integrity protection that includes the counter value. > > I'm fully in favour of characterizing "recommended" as "recommended for implementations", +1 > with a split between "Recommended to support existing applications" and "Recommended to support new applications" dichotomy, +1 Also, it is probably worth pointing out explicitly that, in the first list, the primary goal of the selection is compatibility, not security. I believe the obvious difference between these two lists of algorithms is AES-CBC vs. AES-GCM. Are there other choices that you would recommend to make different for a "recommended to support new applications" list?
Received on Wednesday, 11 September 2013 08:36:46 UTC