[Bug 25607] Need to advise authors about security considerations

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607

--- Comment #7 from Graham Steel <graham.steel@inria.fr> ---
If there is a warning about currently known weaknesses and a note that this is
a point-in-time snapshot and there is a need to keep abreast of the latest
advances, there's a decent chance users of the API will at least pay some
attention to algorithm choice.

If there is no mention of these issues, there is an excellent chance that users
of the API will not pay attention to this and end up using weak algorithms. 

In the first case, the application may still be insecure for any number of
reasons. In the second case the application will almost certainly be insecure.

Given this choice, I favour the first case. 

If the CFRG could maintain a "security status of commonly used crypto
algorithms" document that would be extremely useful - and not just for this API
- but whether they do or not the first option seems preferable.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 16 May 2014 13:28:35 UTC