W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

Re: Reminder: WebCrypto WG Meeting in 30 minutes

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 21 Apr 2014 21:54:35 +0200
Message-ID: <5355777B.8070808@w3.org>
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

On 04/21/2014 09:47 PM, Ryan Sleevi wrote:
> Not entirely true - we have received feedback from several members 
> (Boris, Anne) about issues affecting implementability.
> See Bugs 25390, 25389, 25198, 25386, 25383, 25382
> These are the kind of things that are *most useful* to the spec - 
> promoting idiomatic Web APIs that are consistent with developers 
> expectations and use cases. We've recently been able to close out Bug 
> 24963 (update pending), which is another prime example of a meaningful 
> change for usability.
> The W3C TAG is in the process of reviewing the spec ( 
> https://github.com/w3ctag/spec-reviews/issues/3 ) and has already 
> highlighted some issues that can be done to improve things.
> We know that INRIA is reviewing the spec (thread "WebCrypto Security 
> Analysis")
> I think we're on track with the level of feedback we expected / hoped 
> for. As a low-level API, there are very few "design choices" on a 
> crypto level to be commented on, beyond those that SAAG / CFRG has 
> highlighted.  Some we can resolve, some we may not be able to.
> The choice of algorithms, however, is actually far, far less 
> interesting than the set of API design choices we've made, and 
> ensuring those are well-reviewed.

Yes, there has been good work - but we probably one more push is needed 
before May 20th. To be precise, external review from outside the WG and 
the other WGs that are supposed to review our work before we hit CR. 
Boris Zbarsky, Anne, and others of course have done a great job 
commenting on the Bugzilla. I am very much looking forward to the TAG 
review in particular, and wondering if any other outlets would be useful 
to get more general purpose developer review.

In particular, we should seek direct evidence of review in order to proceed:

* WebAppSec
* HTML (although I understand again, overlap is high)
* WebApp (Ditto re Anne)
* IETF (SAAG feedback counts more or less)
* ECMA TC39 (I'm thinking if signed off in the right way, 
public-script-coord plus TAG would count as best effort here)

I know there's been a lot of internal consulting that's happened 
already, but to get formal sign off from this WGs helps us have evidence 
that we have had wide review.



> On Mon, Apr 21, 2014 at 12:34 PM, Harry Halpin <hhalpin@w3.org 
> <mailto:hhalpin@w3.org>> wrote:
>     We should go over a number of things, such as the workshop
>     proposal, any controversial new bugs, and how to get more feedback
>     from developers on the Last Call Working Draft. We're half way
>     through Last Call and so far only have some commentary from the SAAG.
>       yours,
>          harry
Received on Monday, 21 April 2014 19:54:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC