I would prefer not to make a recommendation here since it is not a document that I would want to keep continuously updated.
There is a strong industry consensus here and what we need to do is to ensure that it is widely recognized as such and have a mechanism to alert people when the consensus changes (e.g. the new results on SHA-1).
________________________________
From: Thomas Roessler [mailto:tlr@w3.org]
Sent: Tue 16/10/2007 4:08 AM
To: Hallam-Baker, Phillip
Cc: Luis Barriga; Web Security Context Working Group WG
Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]
On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:
> I don't think we should write an exhaustive list olf strong
> ciphers. The most we should do is to note that there is a set of
> ciphers that the consensus recognizes as being acceptably strong
> which should be supported.
I'd rather we either reference some known-authoritative document
that is being maintained elsewhere (because I don't see us taking on
that kind of document maintenance role for this particular problem).
The second-best approach might be to say "these are known bad [REF]
[REF] [REF], for the rest, please do your due diligence."
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>