W3C home > Mailing lists > Public > public-webcrypto@w3.org > November 2012

Re: KeyStorage and Pre-provisioned Keys: A proposal

From: Ryan Sleevi <sleevi@google.com>
Date: Thu, 15 Nov 2012 15:49:55 -0800
Message-ID: <CACvaWvY4q+f01Qd+odQUzFK-w-Nork3=QgT0Vm05hYXeWb6F+Q@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Thu, Nov 15, 2012 at 3:18 PM, Mark Watson <watsonm@netflix.com> wrote:
>
> On Nov 15, 2012, at 2:56 PM, Ryan Sleevi wrote:
>
> Ryan,
>
> I excepted one point from your mail as I feel it is important:
>
>> Again, there's certainly a committment and interest in these issues.
>> However, the feeling is that the most important and pressing issue is
>> basic algorithm and usability support.
>
> This may be *your* feeling, but it is not mine. The API is essentially useless to us without support for pre-provisioned keys and so they are just as important to us as any other part of the API. Something we've made clear from the outset of this work.

Mark,

(Hopefully) nothing in this spec prohibits you from implementing
support for pre-provisioned keys on your own.

I would suggest you look at how other APIs have been specified - such
as in WebApps or HTML WG - or proposed - such as in SysApps - to see
how a number of other vendors and implementers are able to continue to
make progress and improve the open web platform without requiring the
"everything and the kitchen sink" approach to specs.

Indeed, it is not at all uncommon to see specifications broken up
(see, for example, CSS Modules), and independently and concurrently
developed.

I'm sympathetic to the need's of Netflix regarding pre-provisioned
keys. I imagine you may equally feel that HTML is useless for Netflix
without Encrypted Media Extensions, or that <video> is useless without
the MediaSource APIs. However, it seems that both HTML and <video>
have been able to progress and be useful for a number of other
participants, without requiring that support, and I would suggest the
same is here - a number of audiences and needs can be addressed
without pre-provisioned keys, and so I do not think it useful nor
considerate to those use cases to block any progress based on this
specific issue.

We didn't have to land on the moon in order to say we discovered
flight, nor do I think we need to solve everyone's use cases in the
first release to have a meaningful API for the open web. Otherwise,
we'll spend the next three years discussing certificate discovery,
OCSP, and Kerberos APIs, and deliver nothing in the mean time.
Received on Thursday, 15 November 2012 23:50:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:14 UTC