Re: "Recommended" is a bad word :) from Ryan Sleevi on 2014-05-12 (public-webcrypto-comments@w3.org from May 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 12 May 2014 10:57:10 -0700
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvYrpz=+pFgqfu7PeJsVoCsKYxaNeOGSychsnPyQtTr56Q@mail.gmail.com>

Rich,

It's difficult for this WG when you present such statements.

Let me try to be clear: Are you saying that Kenny Patterson disagrees that
"weak" is contextually-dependent with respect to the task at hand?

If so, it would be useful if Kenny could provide a clear definition of the
criteria he believes this WG should use for "weak".

Does the mere existence of attacks suffice? If so, then RSA-OAEP is weak?
Does the existence of provably-secure constructions make an algorithm "not
weak"? If so, then AES-CBC and AES-CTR are not weak.
Does the existence of a security proof making something "not weak"? If so,
then remember that TLS has had plenty of security proofs demonstrating it's
security - all before BEAST, CRIME, and the Triple Handshake (which showed
that TLS is indeed "weak", for some definition of "weak").

I feel like you're missing the core piece of the feedback and objection -
which is that such advice inherently lacks a context for where the advice
comes from.

Without such a context, this WG
1) Cannot review whether or not such feedback is relevant to the stated
charter for the goals of this API
2) Cannot make a fair and accurate representation of algorithms, short of
approaching Kenny (via you?) and asking him what he thinks of algorithm X

Quite simply, the feedback lacks a formal definition for its' basis, and as
such, appears as simply that of an opinion. Now, if there is a formal
definition, sharing it with this WG and reviewing it in the context of the
charter is good.

Further, such feedback requires an understanding of what the goals of such
language are. It's clear you believe that this will somehow prevent or
discourage authors from writing "bad" or "insecure" code (for some
definition that remains to be provided). However, as I've repeatedly
attempted to show you, this doesn't really accomplish that goal in any
meaningful way. Further, by appearing to *attempt* to do this, we embrace a
slippery slope that can cause authors and maintainers real harm.

I understand you are not a cryptographer, as you have stated repeatedly
before. But I hope you can understand that the conversation is far more
nuanced than you have presented, which is why I continue to push back on
why I do not believe your proposal, as written, is appropriate for the spec.

On Mon, May 12, 2014 at 10:42 AM, Salz, Rich <rsalz@akamai.com> wrote:

> Ø  As has been addressed on the bug, the criteria for "weak" is clearly
> misleading and misrepresentative. Proposals that flow from this are
> misguided.
>
>
>
> Noted cryptographers disagree.
>
>
>
> /r$
>
>
>
> --
>
> Principal Security Engineer
>
> Akamai Technologies, Cambridge, MA
>
> IM: rsalz@jabber.me; Twitter: RichSalz
>
>
>

Received on Monday, 12 May 2014 17:57:37 UTC