Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
Simon Josefsson <simon@josefsson.org> Thu, 05 November 2015 15:17 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95051B2EBE for <cfrg@ietfa.amsl.com>; Thu, 5 Nov 2015 07:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBCRV2KTHARg for <cfrg@ietfa.amsl.com>; Thu, 5 Nov 2015 07:17:19 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34FE01B2EBF for <cfrg@irtf.org>; Thu, 5 Nov 2015 07:17:11 -0800 (PST)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tA5FH6jW022582 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 5 Nov 2015 16:17:07 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Harry Halpin <hhalpin@w3.org>
References: <5636A760.8080207@w3.org>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151105:hhalpin@w3.org::j0uC2ITy3Am8ypbj:DWTy
X-Hashcash: 1:22:151105:cfrg@irtf.org::qW5+rmugxG4IWjPY:Ibat
Date: Thu, 05 Nov 2015 16:17:05 +0100
In-Reply-To: <5636A760.8080207@w3.org> (Harry Halpin's message of "Sun, 01 Nov 2015 18:59:28 -0500")
Message-ID: <8737wk1nny.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3d-TbNA9mTRk12BqXSPNeoPigbw>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 15:17:21 -0000
Harry Halpin <hhalpin@w3.org> writes: > The new draft is here: > > http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-01.html 1) Why is AES-CBC, AES-CFB, AES-CTR marked YES in the "OK Future" column? I believe there is general agreement that you should be using AEAD ciphers and that non-AEAD ciphers are too fragile for any use by non-crypto people. 2) Why are you promoting the SP 800-56A CONCAT construct? Use HKDF. 3) HKDF is not a password-based key derivation function and shouldn't be used for that purpose. 4) PBKDF2 is a decent password-based kdf. If you want to deprecate PBKDF2, point to Scrypt or Argon2, not HKDF. 5) You may want to remind people that MD5 is broken, so that nobody thinks that it is okay to use it because your document does not mention it. /Simon
- [Cfrg] WebCrypto Security Guidelines into IRTF In… Harry Halpin
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Watson Ladd
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Taylor R Campbell
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Simon Josefsson