Re: Drastically cutting primary features [was Re: Last call for public comments on Web Crypto charter] from Stephen Farrell on 2011-11-24 (public-identity@w3.org from November 2011)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 24 Nov 2011 02:50:21 +0000
To: Mark Watson <watsonm@netflix.com>
CC: Harry Halpin <hhalpin@w3.org>, "<public-identity@w3.org>" <public-identity@w3.org>
Message-ID: <4ECDB0ED.1010207@cs.tcd.ie>

What do you gain over and above TLS-PSK and why is that
beneficial?

S.

On 11/24/2011 02:48 AM, Mark Watson wrote:
> Harry,
>
> The possibility to develop secure application protocols in Javascript, without using TLS, is exactly the one of the points of this API, at least for us. The possibility to use pre-provisioned keys is also an essential component. So I wouldn't be in favor of this change and I'm not even sure it's a "simplification".
>
> ...Mark
>
> On Nov 23, 2011, at 3:14 PM, Harry Halpin wrote:
>
>> On 11/18/2011 06:34 AM, Stephen Farrell wrote:
>>>
>>> I've very happy to see how this process has gone and the
>>> resulting charter. I have two comments:-
>>>
>>> I would strongly argue to move TLS key extraction into
>>> the list of primary features. I guess that function might
>>> not always produce a key, depending on client&  server
>>> implementations, but I think its important that it be
>>> available since if/when it works, it would mean that an
>>> awful lot of people would not need to develop their own
>>> (and probably broken) key distribution schemes.
>>
>> I'm catching up on older comments, and I'd like for people on this mailing list to notice the radical simplifying nature of Stephen's proposal.
>>
>> By having key establishment come from TLS as the primary feature, it would get rid of the need for key storage, key agreement, and key generation from primary features. Or at least move those to secondary features!
>>
>> What do people think?
>>
>> It would be a radically simpler starting point for an API, which appeals to me.
>>
>>>
>>> I would separately argue that the current list of primary
>>> functions (esp without TLS key extraction) is not really
>>> a "high-level API," right now, it looks much more like
>>> just any old crypto API (e.g. if you have D-H, which
>>> many developers might not understand very well). I think
>>> requiring the WG to more somehow at a higher level than
>>> JCE/JCA might be a way to indicate that.
>>>
>>> Regards,
>>> Stephen.
>>>
>>> On 11/17/2011 03:17 PM, Harry Halpin wrote:
>>>> Everyone,
>>>>
>>>> On next Tuesday, as said earlier, I plan to take the Web Cryptography
>>>> charter [1] from the wiki and put it into HTML as an "official draft
>>>> charter" then ask for preliminary feedback from the AC, before going to
>>>> real AC review in December (thus launching Working Group in January).
>>>>
>>>> So, if you have any comments, *now* is the time to send to the mailing
>>>> list. Suggested text replacement is most welcome.
>>>>
>>>>        cheers,
>>>>           harry
>>>>
>>>> [1] http://www.w3.org/wiki/IdentityCharter
>>>>
>>>>
>>>
>>
>>
>>
>
>
>

Received on Thursday, 24 November 2011 02:50:59 UTC