Re: Future of Web Crypto API

Regarding the suggestions of the two possibilities as:

1. Get W3C to have a new proposed Working Group charter to do the work

2. Get W3C to revise the charter of an existing Working Group to add the
deliverable into it

I would not support either one, unless part of the work meaningfully and
signficantly addresses

a) the fundamentally broken nature of the web and the severe problems
caused for all web security by recent amendments to Rule 41 that became
effective late last year <http://fortune.com/2016/11/30/rule-41/>,

b) additional problems for safety and security of users of the web caused
by expanded surveillance procedures in the USA
<http://www.zdnet.com/article/days-before-trump-takes-office-obama-expands-nsa-powers/>,
and

c) additional problems for safety and security of users of the web caused
by the Snooper's Charter
<https://www.theguardian.com/world/2017/jan/10/liberty-launches-legal-challenge-to-state-spying-in-snoopers-charter>
..

It is worth pointing out that inside the USA, due to the extreme policies
which came into effect during the Obama administration, no user is safe
online though they may attempt to establish servers and communication
systems outside the United States for better security.  Even then, the only
countries outside the US that have explicitly rejected surveillance are (to
the best of my knowledge) Slovakia - which has deemed mass surveillance
unconstitutional - and Slovenia - which has deemed data retention
unconstitutional.  The only country in South or Central America that has
explicitly rejected mass surveillance that I am aware of is Paraguay, which
rejected the "pyrawebs" proposal for mandatory data retention (and contains
a right to privacy in its Constitution
<https://necessaryandproportionate.org/country-reports/paraguay>).  The
paucity of countries around the world which have rejected mass surveillance
or data retention, and the abundance and growth of new, additional
surveillance methods in the USA and the UK (as evidenced for example by
(a-c) above) directly suggests that any work and deliverable of a Working
Group relating to Web Crypto must also include the direct threats to users
now posed by governments (as indicated above) so as to plan and program
countermeasures to governmental actions, to ensure user privacy and
anonymity.  Otherwise there is not much point in continuing with the
exercise.



On Wed, Feb 8, 2017 at 9:15 AM, Philippe Le Hégaret <plh@w3.org> wrote:

> > On 2/8/17 10:49 AM, Philippe Le Hégaret wrote:
> > > 3. Republication of a new Recommendation with substantive changes is
> > > governed by (no change since W3C Process 2015):
> > ...
> > >
> > > In other words, this is not a current possibility for the Web
> > > Cryptography API since the Working Group is closed.
> >
> > OK.  So what is the process that will need to actually happen should
> > there be need for substantive errata?
>
> 2 possibilities:
>
> 1. Get W3C to have a new proposed Working Group charter to do the work
>
> 2. Get W3C to revise the charter of an existing Working Group to add the
> deliverable into it
>
> Both of those cases would fall under
>    https://www.w3.org/2017/Process-20170301/#WGCharterDevelopment
>
> but the second path is a lot easier to do that the first one.
>
> In either case, making sure that the errata page gets updated with
> editorial and substantive changes is important.
>
> For what is worth, I believe this is too heavy process and have been
> working on a proposal to authorize W3C to make substantive changes to its
> W3C Recommendation without a Working Group:
>
> https://github.com/w3c/standards-track/blob/spec-stages/
> stages.md#3-maintenance-of-an-errata-page-for-the-w3c-
> recommendation-and-revising-a-recommendation-using-an-errata-list
> I was however too late to get that proposal considered for Process 2017,
> so it's not an option unfortunately.
>
> Philippe
>
>