Explainer

https://www.w3.org/TR/2026/DNOTE-security-guidelines-cryptography-20260129/

The explainer

• Includes the information requested by the Explainer Explainer.
• Follows the Web Platform Design Principles.
• Includes or links to answers to the Security/Privacy Questionnaire.
• Describes user research you did to validate the problem and/or design.

Where and by whom is the work is being done?

• GitHub repo: https://github.com/w3c/security-guidelines-cryptography
• Primary contacts: (This is a third-party request for review.)
• Organization/project driving the design: ?
• This work is being funded by: ?
• Incubation and standards groups that have discussed the design:
  • Security Interest Group; see https://github.com/w3c/securityig/issues/33
• Standards group(s) that you expect to discuss and/or adopt this work when it's ready: SIG

Feedback so far

There's some review in the issue tracker that is worth looking at. https://github.com/w3c/security-guidelines-cryptography/issues/15 in particular has some good feedback.

You should also know that...

(Note that I didn't know how to classify this request. The forms don't really fit this, so I've lied: this doesn't really include the necessary items from the explainer explainer.)

After looking at this document personally, I think that the TAG should take a serious and critical look at this document. Focus on high level goals and whether this document is addressing those goals. To be clear, the purpose of this guide is presently unclear, but there is serious risk of harm out of this. If I were to infer a goal, it might be to instill confidence in people about their use of cryptography, which would likely be unwise.

To quote a recent article:

In fact, ability and motive may even be negatively correlated. The kind of person who has the ability to release a plague is probably highly educated: likely a PhD in molecular biology, and a particularly resourceful one, with a promising career, a stable and disciplined personality, and a lot to lose. This kind of person is unlikely to be interested in killing a huge number of people for no benefit to themselves and at great risk to their own future—they would need to be motivated by pure malice, intense grievance, or instability. -- Dario Amodei, The Adolescence of Technology

<!-- Content below this is maintained by @w3c-tag-bot -->

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1190