RE: ISSUE-128: Strong / weak algorithms? [Techniques]

A number of standards bodies that we can point to that note recommended
In the US the National Institute of Standards and Technology (NIST)
provides the clearing house for recommended practices. Systems could
follow Federal Information Processing Standards (FIPS) or FIPS 140-2


[] On Behalf Of Hallam-Baker,
	Sent: Tuesday, October 16, 2007 11:33 AM
	To: Thomas Roessler
	Cc: Luis Barriga; Web Security Context Working Group WG
	Subject: RE: ISSUE-128: Strong / weak algorithms? [Techniques]
	I would prefer not to make a recommendation here since it is
not a document that I would want to keep continuously updated.
	There is a strong industry consensus here and what we need to
do is to ensure that it is widely recognized as such and have a
mechanism to alert people when the consensus changes (e.g. the new
results on SHA-1).


	From: Thomas Roessler []
	Sent: Tue 16/10/2007 4:08 AM
	To: Hallam-Baker, Phillip
	Cc: Luis Barriga; Web Security Context Working Group WG
	Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques]

	On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:
	> I don't think we should write an exhaustive list olf strong
	> ciphers. The most we should do is to note that there is a set
	> ciphers that the consensus recognizes as being acceptably
	> which should be supported.
	I'd rather we either reference some known-authoritative
	that is being maintained elsewhere (because I don't see us
taking on
	that kind of document maintenance role for this particular
	The second-best approach might be to say "these are known bad
	[REF] [REF], for the rest, please do your due diligence."
	Thomas Roessler, W3C  <>

Received on Tuesday, 16 October 2007 18:23:12 UTC