RE: ISSUE-128: Strong / weak algorithms? [Techniques]

I would prefer not to make a recommendation here since it is not a document that I would want to keep continuously updated.
There is a strong industry consensus here and what we need to do is to ensure that it is widely recognized as such and have a mechanism to alert people when the consensus changes (e.g. the new results on SHA-1).


From: Thomas Roessler []
Sent: Tue 16/10/2007 4:08 AM
To: Hallam-Baker, Phillip
Cc: Luis Barriga; Web Security Context Working Group WG
Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]

On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:

> I don't think we should write an exhaustive list olf strong
> ciphers. The most we should do is to note that there is a set of
> ciphers that the consensus recognizes as being acceptably strong
> which should be supported.

I'd rather we either reference some known-authoritative document
that is being maintained elsewhere (because I don't see us taking on
that kind of document maintenance role for this particular problem).

The second-best approach might be to say "these are known bad [REF]
[REF] [REF], for the rest, please do your due diligence."

Thomas Roessler, W3C  <>

Received on Tuesday, 16 October 2007 15:35:22 UTC