On 05.03.24 11:50, Daniel Gustafsson wrote:
* Should we actually document the exact list of algorithms along with
detailed reasons? This list seems prone to becoming outdated.
If we don't detail the list then I think that it's not worth doing, doing the
research isn't entirely trivial as one might not even know where to look or
what to look for.
I don't think this list will move faster than we can keep up with it,
especially since it's more or less listing everything that pgcrypto supports at
this point.
The more detail we provide, the more detailed questions can be asked
about it. Like:
The introduction says certain algorithms are vulnerable to attacks. Is
3DES vulnerable to attacks? Or just deprecated?
What about something like CAST5? This is in the OpenSSL legacy
provider, but I don't think it's know to be vulnerable. Is its status
different from 3DES?
It says MD5 should not be used for digital signatures. But is password
hashing a digital signature? How are these related? Similarly about
SHA-1, which has a different level of detail.
Blowfish is advised against, but by whom? By us?
