[Bug 26080] Remove unsafe named curves from Web Crypto API from bugzilla@jessica.w3.org on 2014-06-13 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 13 Jun 2014 17:58:22 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-26080-7213-JT1P8MTMRm@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26080

--- Comment #9 from Greg Slepak <hi@okturtles.com> ---
(In reply to Ryan Sleevi from comment #4)
> (In reply to Greg Slepak from comment #3)
> > > > 3. Should any Named Curves be discovered to be unsafe in the future, that
> > > > they be deprecated and eventually removed from the spec.
> > > 
> > > That's not going to happen, for the reasons captured (at great length) on
> > > https://www.w3.org/Bugs/Public/show_bug.cgi?id=25985 . That's not how the
> > > web works.
> 
> As noted on that thread, removing APIs from the web (which breaks sites) is
> far, far more troubling and difficult.
> 
> Referencing SSL 2.0 is entirely orthogonal to the discussion. This would be
> akin to the next draft of HTML removing support for the canvas tag entirely.
> Just because you removed it from your spec doesn't magically make it stop
> existing, nor does it remove browsers' need to support it, as pages live on.


I think more needs to be discussed about this point, as the more I think about
it the more I think you are conflating two incompatible concepts that should
not be conflated.

These two mutually exclusive concepts are:

Type 1: Something like the HTML spec, which specifies how pages are to be
displayed (usually visually).

Type 2: How pages are to be transmitted.

What you're building here is not of Type 1. You are making something like SSL,
a security spec, and security specs definitely do contain the concept of
"deprecation", etc.

There is *no point* in making an insecure security spec. That would be, how you
say, an oxymoron.

Security-specs *must* support deprecation. There is no point to them otherwise.

On a somewhat related note, look what happened to CSS :visited attributes when
it was discovered that they can be used by JavaScript to enumerate a user's
browsing history:
https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/

They were mutated to prevent that from happening.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 13 June 2014 17:58:23 UTC