- From: Luis Barriga <luis.barriga@ericsson.com>
- Date: Wed, 17 Oct 2007 13:06:50 +0200
- To: <michael.mccormick@wellsfargo.com>, <Anil.Saldhana@redhat.com>, <public-wsc-wg@w3.org>
FIPS main audience is *crypto* implementors. It seems too low level and thus doesn't seem to be the primary document to refer to. We need to refer to some authoritative document(s) recommending TLS suites to web site *security* administrators so they can decide which ones to enable/disable when deploying TLS-enabled web sites. I don't think administrators would get that much help digging into FIPS. NIST has such document, but as I mentioned in is for govermental use, which excludes RC4, that as far as I know (?) is widely deployed due to its high performance. Luis -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of michael.mccormick@wellsfargo.com Sent: den 17 oktober 2007 00:02 To: Anil.Saldhana@redhat.com; public-wsc-wg@w3.org Subject: RE: ISSUE-128: Strong / weak algorithms? [Techniques] It might be better in a W3C standard to reference the international equivalents of FIPS 140. The FIPS 140-1 equivalent is ISO/IEC FCD 19790 "Security requirements for cryptographic modules". Last I heard, FIPS 140-2 was the US input document to an NP recently approved by CS1. At that time it had not yet been assigned an ISO/IEC number, but maybe that has changed. Mike -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Anil Saldhana Sent: Tuesday, October 16, 2007 3:08 PM To: Web Security Context Working Group WG Subject: Re: ISSUE-128: Strong / weak algorithms? [Techniques] FIPS 140-2 is the defining standard for cryptology (at least in the US). Maybe we can use that as the frame of reference in the rec doc? Doyle, Bill wrote: > A number of standards bodies that we can point to that note > recommended strengths. > > In the US the National Institute of Standards and Technology (NIST) > provides the clearing house for recommended practices. Systems could > follow Federal Information Processing Standards (FIPS) or FIPS 140-2 > > http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf > > *From:* public-wsc-wg-request@w3.org > [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Hallam-Baker, > Phillip > *Sent:* Tuesday, October 16, 2007 11:33 AM > *To:* Thomas Roessler > *Cc:* Luis Barriga; Web Security Context Working Group WG > *Subject:* RE: ISSUE-128: Strong / weak algorithms? [Techniques] > > I would prefer not to make a recommendation here since it is not a > document that I would want to keep continuously updated. > > There is a strong industry consensus here and what we need to do > is to ensure that it is widely recognized as such and have a > mechanism to alert people when the consensus changes (e.g. the new > results on SHA-1). > > *From:* Thomas Roessler [mailto:tlr@w3.org] > *Sent:* Tue 16/10/2007 4:08 AM > *To:* Hallam-Baker, Phillip > *Cc:* Luis Barriga; Web Security Context Working Group WG > *Subject:* Re: ISSUE-128: Strong / weak algorithms? [Techniques] > > On 2007-10-15 20:26:04 -0700, Phillip Hallam-Baker wrote: > > > I don't think we should write an exhaustive list olf strong > > ciphers. The most we should do is to note that there is a set of > > ciphers that the consensus recognizes as being acceptably strong > > which should be supported. > > I'd rather we either reference some known-authoritative document > that is being maintained elsewhere (because I don't see us taking on > that kind of document maintenance role for this particular problem). > > The second-best approach might be to say "these are known bad [REF] > [REF] [REF], for the rest, please do your due diligence." > > Regards, > -- > Thomas Roessler, W3C <tlr@w3.org> > -- Anil Saldhana Project/Technical Lead, JBoss Security & Identity Management JBoss, A division of Red Hat Inc. http://labs.jboss.com/portal/jbosssecurity/
Received on Wednesday, 17 October 2007 11:07:00 UTC