- From: Charles Engelke <w3c@engelke.com>
- Date: Mon, 28 Sep 2015 10:03:41 -0400
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, Sep 28, 2015 at 4:50 AM, GALINDO Virginie <Virginie.Galindo@gemalto.com> wrote: > Dear all, > A kind reminder that we will have a one hour call today at 20:00 UTC. > Harry's proposal below will help deciding on droping some algorithms from browser profile. > Regards, > Virginie I can't attend today due to my time zone, but I did want to make a couple of comments below. > From: Harry Halpin [mailto:hhalpin@w3.org] > > Algorithms up for removal (less than 2 implementations): > > RSA-PSS > AES-CTR > AES-CMAC > AES-CFB > DH > CONCAT > HKDF > PBKDF2 > > Algorithms in Browser Profile (all implementations): > RSASSA-PKCS1-v1_5 > RSA-OAEP > AES-CBC > AES-GCM > AES-KW > HMAC > SHA-256 > SHA-384 > SHA-512 - PBKDF2 is supported on both Chrome and Firefox, though only with SHA-1 when I tried it on Firefox. - Even if it was on only one implementation of PBKDF2, I support keeping it in the spec. There are a lot of use cases that rely on deriving keys from passwords, and none of the algorithms for this would make the cut from the list shown. - Rather than aggressively dropping algorithms I'd prefer to instead recommend the algorithms in the second list (plus a key derivation algorithm) be the desirable minimal set of algorithms. This would aid interoperability between browsers. Browsers that can support more algorithms would then have a standard specification of how they should do so. Thanks. Sorry I can't make the call today. Charlie
Received on Monday, 28 September 2015 14:04:09 UTC