Re: ISSUE-128: Strong / weak algorithms? [Techniques] from Anil Saldhana on 2007-10-16 (public-wsc-wg@w3.org from October 2007)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Tue, 16 Oct 2007 15:08:00 -0500
To: Web Security Context Working Group WG <public-wsc-wg@w3.org>
Message-ID: <47151A20.7010704@redhat.com>

FIPS 140-2 is the defining standard for cryptology (at least in the US). 
Maybe we can use that as the frame of reference in the rec doc?

Doyle, Bill wrote:
> A number of standards bodies that we can point to that note 
> recommended strengths.
>  
> In the US the National Institute of Standards and Technology (NIST) 
> provides the clearing house for recommended practices. Systems could 
> follow Federal Information Processing Standards (FIPS) or FIPS 140-2
>  
> http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
>
>     *From:* public-wsc-wg-request@w3.org
>     [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Hallam-Baker,
>     Phillip
>     *Sent:* Tuesday, October 16, 2007 11:33 AM
>     *To:* Thomas Roessler
>     *Cc:* Luis Barriga; Web Security Context Working Group WG
>     *Subject:* RE: ISSUE-128: Strong / weak algorithms? [Techniques]
>
>     I would prefer not to make a recommendation here since it is not a
>     document that I would want to keep continuously updated.
>      
>     There is a strong industry consensus here and what we need to do
>     is to ensure that it is widely recognized as such and have a
>     mechanism to alert people when the consensus changes (e.g. the new
>     results on SHA-1).
>
>     *From:* Thomas Roessler [mailto:tlr@w3.org]
>     *Sent:* Tue 16/10/2007 4:08 AM
>     *To:* Hallam-Baker, Phillip
>     *Cc:* Luis Barriga; Web Security Context Working Group WG
>     *Subject:* Re: ISSUE-128: Strong / weak algorithms? [Techniques]
>
>     On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote:
>
>     > I don't think we should write an exhaustive list olf strong
>     > ciphers. The most we should do is to note that there is a set of
>     > ciphers that the consensus recognizes as being acceptably strong
>     > which should be supported.
>
>     I'd rather we either reference some known-authoritative document
>     that is being maintained elsewhere (because I don't see us taking on
>     that kind of document maintenance role for this particular problem).
>
>     The second-best approach might be to say "these are known bad [REF]
>     [REF] [REF], for the rest, please do your due diligence."
>
>     Regards,
>     --
>     Thomas Roessler, W3C  <tlr@w3.org>
>

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Tuesday, 16 October 2007 20:08:17 UTC