Source of Recommended/Discouraged algorithms

[vlevit]

(I'm not sure if this is appropriate for a github issue but I couldn't find a better place)

In the "Web Cryptography API Live Table" some algorithms are marked as "Recommended" and others are "Discouraged! Only use for backwards compatibility!" What is the source of this classification?

I had a quick look at spec and didn't find it there. Though I did find "suggested" algorithms here and according to the list AES-CBC is suggested/recommended, while according to the project's table it's AES-GCM which is recommended and all other cypher modes are "discouraged".

[vlevit]

One possible explanation for why AES-GCM is different is that it is the only mode of operation (among those supported by WebCrypto API) which provides authentication. For other modes of operations authentication can be implemented via separate authentication/integrity algorithm such as HMAC ("recommended") or AES-CMAC.

Interestingly in the project's table among asymmetric algorithms only elliptic curve based algorithms are recommended and all RSA-based are discouraged.

While some algorithms can be preferable for some use cases over the others personally I don't see why some subset of algorithms should deprecate all others.

[secumundo]

I don't understand. The only asynchronous encryption/decryption methods explained here is RSA-OAEP - and that's discouraged (though I didn't find any reference in the W3C specs). Web-Crypto doesn't make much sense if it leaves us without reliable async crypto .. ?

[towr]

@secumundo You can use ECDH for asynchronous encryption by deriving a shared key and using that key for AES encryption.
(And for good measure you should create a single-use ECDH key that you use only for that purpose, sending the public key along so your recipient can derive the key and decode the message. This prevents using the same shared key multiple times.)