[Bug 25607] Need to advise authors about security considerations

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607

--- Comment #15 from Rich Salz <rsalz@akamai.com> ---
I am updating my request for changes, based on the draft I see today. All other
issues are closed, and this is what remains.  It is, still, the core concern of
this bug report.


In Section 6.2, after the the first sentence of the first paragraph add "(See
also section 21, below.)"

In section 21, after the first sentence, add the following: "A blank field
means no registration, a check means registration, and a plus means
registration, but that at the time of this writing there are known security
issues with that particular combination. (See Section 23.2, Security
References, below.)"

In section 21, in the table, for the rows labeled AES-CTR, AES-CBC, AES-CFB,
and SHA-1 replace the check-mark with a plus sign (or other graphic).

In section 21, after the table, add the following text: "Entries with a plus
sign SHOULD only be used when interoperating with existing formats and
protocols.  Although not registered in this document, the digest mechanisms MD2
and MD5 referenced in various related standards SHOULD never be used to
generate data."  Replace the words "plus sign" with whatever description is
appropriate for the graphic you choose.

Include a Security References section, suggested as 23.2. Include the documents
listed in the original description of this bug report. Considering adding a
reference to Graham's "cryptosense" blog posting, in whatever form you find
appropriate.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 30 June 2014 15:46:43 UTC