- From: David McGrew (mcgrew) <mcgrew@cisco.com>
- Date: Fri, 15 Mar 2013 16:31:55 +0000
- To: Ryan Sleevi <sleevi@google.com>, Harry Halpin <hhalpin@w3.org>
- CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>, "kmigoe@gmail.com" <kmigoe@gmail.com>
Hi Ryan and Harry, On 3/15/13 11:35 AM, "Ryan Sleevi" <sleevi@google.com> wrote: >In discussions with others at IETF, this is not something that the >CFRG tries to provide. > >That is, the CFRG helps provide input and design, particularly around >the design of *new* protocols. This is not a suitable overlap with >what you want - which is development guidance for the use of >particular algorithms. > >The CFRG cipher catalog, which you have previously requested to >reference, is entirely in the context of discussion of ciphers *in use >by standard protocols*. You do not, for example, see discussions of >OTR/mpOTR. Focusing on ciphers defined in IETF documents, or referenced in IETF documents, was a good way to keep the scope of the cipher catalog document from getting too big. > >Respectfully, a "how to be a cryptographer" is not a good activity. > >On Fri, Mar 15, 2013 at 8:10 AM, Harry Halpin <hhalpin@w3.org> wrote: >> If so, it may be useful to discuss with them their feedback (via Zooko) >>to >> the API. >> >> I have thought, and this came up in an OECD discussion with the IETF >>chair, >> that per-algorithm security considerations *in a separate RFC* might be >>a >> good idea. Note this is a separate conversation than the registry, but >>would >> address their comments by putting the ball back in their court, so to >>speak. >> >> Then our API can point to their RFC, which they can then keep updated as >> long as the CFRG runs. Did the CFRG discuss this, or the API, at all? As CFRG co-chair, I would welcome input and questions from webcrypto, either as a presentation to an upcoming meeting, or as an internet draft. We need to keep things scoped, of course, but discussion of crypto APIs seems worthwhile to me. At least, it seems to me that it should be possible to come up with a presentation/discussion on that topic that would be of broad interest to the Internet crypto community. What do you think? In my opinion, it would be useful to have an API for authenticated encryption that is higher level than RFC5116, which hides as many implementation details as possible from the user. This effort could potentially be aligned with the CAESER submissions http://competitions.cr.yp.to/ I am not sure how well this lines up with the needs of webcrypto, though. And for sure it just focuses on a small subset of the API security issues. Copied Kevin (CFRG co-chair). David >> >> cheers, >> harry >> >> >> >
Received on Friday, 15 March 2013 16:33:31 UTC