W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2012

Re: ISSUE-1: Mandatory algorithms (was Re: ISSUE-3: Algorithm discovery)

From: David Dahl <ddahl@mozilla.com>
Date: Wed, 11 Jul 2012 17:38:11 -0700 (PDT)
To: Harry Halpin <hhalpin@w3.org>
Cc: Ryan Sleevi <sleevi@google.com>, Seetharama Rao Durbha <S.Durbha@cablelabs.com>, public-webcrypto@w3.org, Mike Jones <Michael.Jones@microsoft.com>, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Message-ID: <376901149.11464541.1342053491797.JavaMail.root@mozilla.com>

----- Original Message -----
> From: "Harry Halpin" <hhalpin@w3.org>
> To: "Vijay Bharadwaj" <Vijay.Bharadwaj@microsoft.com>
> Cc: "Ryan Sleevi" <sleevi@google.com>, "Seetharama Rao Durbha" <S.Durbha@cablelabs.com>, public-webcrypto@w3.org,
> "David Dahl" <ddahl@mozilla.com>, "Mike Jones" <Michael.Jones@microsoft.com>
> Sent: Wednesday, July 11, 2012 7:23:31 PM
> Subject: Re: ISSUE-1: Mandatory algorithms (was Re: ISSUE-3: Algorithm discovery)
> Note that I have always been neutral as regards MUST-IMPLEMENT and
> I'm worried over only MAY implement, for the reason that I just want
> to
> see *something* work in the API besides error messages and that I'm
> not
> sure if I can honestly say that two or more inter-operable
> implementations of just error messages is enough to get us past
> Candidate Rec stage. Those less technically involved in the details
> within industry and the W3C may be skeptical of the interop benefits
> of
> standardization in that case. For this reason, previous W3C WGs in
> this
> area such as XMLDSIG and XMLENC both have at least *two* independent
> mandatory-to-implement algorithms when possible, in case one breaks
> during the life of standard. While I'm not really worried about MUST
> vs.
> SHOULD, I'm worried about test-cases and getting to CR.
> So, I think we can agree:
> 1) Having a common subset of algorithms that we can test, and thus
> achieve CR status, is useful and developers will need such assurances
> at
> least for increasing adoption of the API.
> 2) A MUST-IMPLEMENT is for various reasons argued on the mailing list
> is
> a bad idea.
>   Thus, I propose that we resolve this issue by doing a much weaker
> version of what XML-DSIG and XML-ENC did, to have no MUST IMPLEMENT
> but
> instead a recommended SHOULD implement. The WebCrypto API should have
> a
> subset (at least two or more) of recommended algorithms that we build
> test-cases along to move to CR, but no strict conformance testing
> that
> requires a MUST-IMPLEMENT, as we recognize those algorithms may
> change
> and are use-case dependent.  Thus, there will be *no* MUST-IMPLEMENT,
> but recommended SHOULD implement.
> Is that weaker stance as regards recommended algorithms with
> test-cases
> also being objected to, or are we happier with that?

I like this approach. This seems like a way to no paint ourselves into a corner with all of the regulatory issues and browser vendor maintenance in mind.

Received on Thursday, 12 July 2012 00:38:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:11 UTC