Re: Adding deprecation notices to pgcrypto documentation

On 05.03.24 11:50, Daniel Gustafsson wrote:
>> * Should we actually document the exact list of algorithms along with
>>   detailed reasons?  This list seems prone to becoming outdated.
> 
> If we don't detail the list then I think that it's not worth doing, doing the
> research isn't entirely trivial as one might not even know where to look or
> what to look for.
> 
> I don't think this list will move faster than we can keep up with it,
> especially since it's more or less listing everything that pgcrypto supports at
> this point.

The more detail we provide, the more detailed questions can be asked 
about it.  Like:

The introduction says certain algorithms are vulnerable to attacks.  Is 
3DES vulnerable to attacks?  Or just deprecated?

What about something like CAST5?  This is in the OpenSSL legacy 
provider, but I don't think it's know to be vulnerable.  Is its status 
different from 3DES?

It says MD5 should not be used for digital signatures.  But is password 
hashing a digital signature?  How are these related?  Similarly about 
SHA-1, which has a different level of detail.

Blowfish is advised against, but by whom?  By us?