Re: [Web Crypto WG] Agenda for next call on 14th of May (15:00 EDT/19:00 UTC) from Mark Watson on 2012-05-09 (public-webcrypto@w3.org from May 2012)

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 9 May 2012 16:05:22 +0000
To: David Dahl <ddahl@mozilla.com>
CC: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>, "<public-webcrypto@w3.org>" <public-webcrypto@w3.org>, "<rsleevi+w3c@chromium.org>" <rsleevi+w3c@chromium.org>, Wan-Teh Chang <wtc@google.com>
Message-ID: <CAED78C4-4AC8-4AAF-A818-8C651D2D934C@netflix.com>

On May 9, 2012, at 8:45 AM, David Dahl wrote:

> I spent some time on the phone with Wan-Teh and Ryan Sleevi yesterday to discuss the editor's draft.Some questions and issues we came up with about the preliminary work on the spec are:
> 
> 1. Feature (algorithm and capability) detection. We should provide a method by which the API can be queried for features/algorithms/cipher suites/etc that allows a script to bail out early before attempting an operation that will fail. e.g.: we need a version attribute as well, "window.crypto.pk.version" to start
> 
> 2. Specifying algorithms for crypto operations other than RSA might become more complicated than the preliminary spec proposes 
> 
> There was a discussion about perhaps changing the API to look more like:
> 
> window.crypto.rsa.generateKeys() encryptAndSign() verifyAndDecrypt()
> 
> I think we can design this in a more 'general purpose' way (similar to the current ED) using an options parameter that specifies the algorithm, padding, hash/mac,or cipher suite, etc.

We do have an internal draft API, very much along those lines, with quite a few details worked out. We haven't posted this, because the direction was to build on DOMCrypt. But if the direction is to re-think the API a little, then we'd be happy to contribute that.

> 
> 3. Potential need for a parallel set of low-level interfaces. I still think we should avoid this as a potential sinkhole. My initial desire to provide an "easy-and-safe-to-use" interface is I think the point of this API. A parallel, low-level interface is also desired. 
> 
> 4. The interest in secondary features seemed high in the public call. We need to prioritize. (I think this all falls on use-cases to sort out)
> 
> 5. I need to run the current spec through where it is using ECC in place of RSA to see how it looks/feels - regardless of whether or not browser vendors can implement. This also brings up the issue of not stating algorithms as MUST IMPLEMENT
> 
> 6. We should adopt JOSE specs for all input and output. This gives more credence to a very high-level API using cipher suites, which will remove most of the ambiguity of a 'generic API'. Of course, using cipher suites is not a silver bullet, as Ryan said, SSL has 117+ cipher suites maintained by IETF.

I'm not sure about this. It should be possible to easily implement JOSE using this API, but I don't think JOSE is appropriate for exchanges over the API itself. These should largely be opaque byte strings, whereas JOSE defines serialized encoded JSON objects.

> 
> 7. For the symmetric API, we need to examine the use cases (notably, the Netflix use-case) and figure out what the starting point looks like. Mark Watson and Mitch Zollinger of Netflix are interested in another F2F meeting to discuss this.

Our use-case, as posted in December, is here http://www.w3.org/wiki/NetflixWebCryptoUseCase. We'd be happy to run through this on the call.

> 
> We want to avoid creating the "Netflix API"and I think there are use cases in common with what they have proposed.      

Absolutely, we're keen to ensure that the API is generic and not specific to this use-case at all - we may ourselves have other use-cases too!

…Mark

> 
> Wan-Teh, Ryan: is there anything else I forgot to mention?
> 
> 
> Regards,
> 
> David
> 
> ----- Original Message -----
> From: "GALINDO Virginie" <Virginie.GALINDO@gemalto.com>
> To: public-webcrypto@w3.org
> Cc: "Wendy Seltzer" <wseltzer@w3.org>, "Harry Halpin" <hhalpin@w3.org>
> Sent: Wednesday, May 9, 2012 9:48:23 AM
> Subject: [Web Crypto WG] Agenda for next call on 14th of May (15:00  EDT/19:00 UTC)
> 
> Dear all,
> 
> Please remember that our first conference call will be held next Monday 
> - 14th of May 
> - 15:00 EDT (19:00 UTC) 
> - +1.617.761.6200, 27978# (CRYPT) 
> - IRC irc.w3.org:6665 #crypto
> 
> Starting from now, I suggest that people having comments on the editors draft Web Crypto API could express themselves on the mailing list, so that we can start discussing, sharing views. As a note, the list is also open to any discussion related to group organization (e.g. we are looking for an editor for the Usecases and Requirements part, if you want to volunteer, just mention it on the list...), new usecases, or general information that would help us to build our web crypto vision. 
> 
> For our next call, I am suggesting the following agenda - feel free to suggest other items: 
> 
> 1. Introduction 
> 2. "Virtual round table" of delegates
> 3. Agenda approval
> 4. Review of editor's draft API (by editors) - available under http://www.w3.org/2012/webcrypto/WebCryptoAPI/ 
> 5. Review of comments on draft Web Crypto API (if any)
> 6. Web Cryptography Usecases and Requirements 
> 7. Test Suite for Web Crypto API
> 8. Feedback from public conf call - available http://lists.w3.org/Archives/Public/public-webcrypto/2012May/0002.html 
> 9. F2F meetings (summer, TPAC)
> 10. Regular conference call scheduling
> 11. Liaisons with other groups (IETF, ECMA, W3C CG)
> 
> 
> Virginie
> gemalto
> 
> 
>

Received on Wednesday, 9 May 2012 16:06:04 UTC