On 10 Mar 2013, at 11:01, Ben Laurie wrote: > On 10 March 2013 10:58, Paterson, Kenny <kenny.pater...@rhul.ac.uk> wrote: >> >> >> Right here: http://www.w3.org/TR/WebCryptoAPI: > > Somehow missed that. Thanks. > >> 19.1. Recommended algorithms >> >> This section is non-normative >> >> As the API is meant to be extensible in order to keep up with future >> developments within cryptography and to provide flexibility, there are no >> strictly required algorithms. Thus users of this API should check to see >> what algorithms are currently recommended and supported by implementations. > > So ... despite Ryan's claim that the recommendations are for API > implementers, it says here that they're also for users of the API. > > In which case, clearly, AE modes should be recommended.
I fully agree. We have already made this point to the WebCrypto folks (see: lists.w3.org/Archives/Public/public-webcrypto/2012Sep/0186.html), but without managing to bring about a shift in their position. If people want to see how badly things can go wrong when you mix "legacy" (i.e. insecure) and secure algorithms, see, for example this NDSS 2013 paper: http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/ [Full disclosure: I am an author on the paper.] Cheers Kenny _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
