- From: <bugzilla@jessica.w3.org>
- Date: Tue, 01 Jul 2014 02:51:14 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607 --- Comment #22 from Ryan Sleevi <sleevi@google.com> --- (In reply to Rich Salz from comment #18) > If that is the WG view, then the right thing to do is close this out as > WONTFIX. I tried to make it clear that I'm presenting an opinion as an individual. However, regardless of your views, it seems worthwhile to note whether or not you agree with the classification of RSA-PSS as check-plus (can use SHA-1), RSA-OAEP as check-plus (vulnerable to Manger's attack), ECDSA as check-plus (vulnerable to nonce-reuse), ECDH as check-plus (vulnerable, as currently spec'd, to static DH problem), AES-GCM as check-plus (vulnerable to cache timing attacks in GHASH), AES-KW as check-plus (lacks formal security proof), HMAC as check-plus (can use SHA-1, regardless of the fact of RFC 6151's analysis) DH as check-plus (static-DH problem), Concat-KDF as check-plus (SHA-1), HKDF as check-plus (SHA-1), and PBKDF2 as check-plus (tradeoffs of parameters and the use of GPUs/ASICs, as it lacks a construction like scrypt-and-friends to make a memory/parallelization tradeoff, plus SHA-1) If you don't feel that every algorithm would deserve a check-plus, then setting forth a formal criteria for when and where you believe that cryptographic attacks can be ignored or should be noted will be useful for the consistency of the spec, as well as to avoid future concerns of a formal objection. Note my goal is to avoid the "living spec" requirements that such security considerations inherently bring. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Tuesday, 1 July 2014 02:51:16 UTC