Re: [W3C Web Crypto WG] Call for Consensus on moving curve 25519 to a W3C Working Draft from Harry Halpin on 2014-11-21 (public-webcrypto@w3.org from November 2014)

From: Harry Halpin <hhalpin@w3.org>
Date: Fri, 21 Nov 2014 02:29:49 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: Richard Barnes <rlb@ipv.sx>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <546E958D.4010907@w3.org>
On 11/21/2014 12:54 AM, Ryan Sleevi wrote:
> +1 to the WG taking on a document to describe Curve25519, as there is zero
> commitment for the WG to ship or implement or agree to even send the draft
> forward in the process.
> -1 to Harry's reasoning and explanation, which I do not think is either
> necessary nor, given the many discussions had in the past, consistent with
> the messaging that either he or our Chair have provided people regarding
> curve extensibility, especially the comment "moving the whole spec back to
> Last Call"
> -1 because I agree with Richard that there is no sense rushing a draft out,
> especially if the CFRG makes any changes to Curve25519 (or NUMS) for
> suitability for TLS.
> 
> So, overall, -1


What we need is a coherent plan to tell our reviewers and the W3C at CR
transition about our relationship to the request for Curve 25519 and
CFRG.  I was working off this resolution:

http://lists.w3.org/Archives/Public/public-webcrypto/2014Aug/0102.html

In particular, we can state that although that 'the WG agrees on the
principle that Curve25519 will be added to Web Crypto WG deliverables as
an extension to the Web Crypto API specification' and 'this extension
will be used as a beta test for the extensibility mechanism that we need
to address as raised in bug 25618.'

I have no problem that the WG will delay any movement on Curve 25519 to
Working Draft (or in any other way included in the spec) until the CFRG
recommended curve is announced, especially if this is seen as pre-emptig
the CFRG decision.

I'm happy to also cite this resolution, which states that 'no additional
curve to integrate before IETF/CFRG share its recommendation', which
explains our relationship to CFRG well:

http://lists.w3.org/Archives/Public/public-webcrypto/2014Sep/0011.html

In the case CFRG does propose new curves (which may or may not be Curve
25519), the route forward in the resolution (not made explicit in the
text of the current draft) is that 'some new curves may be added if
IETF/CFRG issue recommendations and that curves description are mature
and complete enough to be referenced in our deliverables before we move
to Proposed Recommendation. In that special case, the specification
would go back to Last Call'.

Since it appears the WG wants to wait, in the case CFRG does not propose
new curves or proposes curves other than Curve 25519, the WG can also
simply move Curve 25519 as a separate Working Draft and let it proceed
as any other deliverable, relative to the agreed upon
extensibility/errata mechanism in the spec.

           cheers,
                  harry



> 
> On Thu, Nov 20, 2014 at 2:22 PM, Harry Halpin <hhalpin@w3.org> wrote:
> 
>>
>>
>> On 11/20/2014 11:18 PM, Richard Barnes wrote:
>>> On Thu, Nov 20, 2014 at 5:13 PM, Harry Halpin <hhalpin@w3.org> wrote:
>>>
>>>>
>>>>
>>>> On 11/20/2014 11:08 PM, Richard Barnes wrote:
>>>>> -1
>>>>>
>>>>> I thought we had agreed to take no action on new curves until the CFRG
>> /
>>>>> TLSWG process concluded.  AFAICT, it has not.
>>>>
>>>> My understanding that Curve 25519 would a test of how we could add new
>>>> algorithms by sending them through the WG independently of CFRG.
>>>>
>>>> If CFRG choses a curve, then I thought the WG agreed we would try to
>>>> include it.
>>>>
>>>> Thus, they are separable. However, in the case that CFRG does indeed
>>>> chose Curve 25519 (CFRG discussion is rumoured to be ending in early
>>>> Dec.) then we'll obviously not have this problem.
>>>>
>>>
>>> I don't see why we would use a curve other than the one(s) chosen by CFRG
>>> for this experiment.  We're just talking about a few more weeks.
>>
>> The reason is so we can show we have adequately responded when we
>> transition to CR to the numerous complaints over curves - and thus that
>> our extensibility and errata-based mechanism can do the heavy-lifting.
>>
>> However, we can write in the bugzilla that we will revisit when/if CFRG
>> choses a curve. However, I see no harm and quite a bit of good in taking
>> Curve 25519 forward as Working Draft and it does show serious commitment
>> from the WG to the issue.
>>
>> If CFRG choses another curve, that curve can also be included by either
>> a similar mechanism or moving the whole spec back to Last Call.
>>
>>
>>>
>>> --Richard
>>>
>>>
>>>
>>>
>>>
>>>>
>>>>    cheers,
>>>>        harry
>>>>
>>>>>
>>>>> On Thu, Nov 20, 2014 at 12:46 PM, GALINDO Virginie <
>>>>> Virginie.Galindo@gemalto.com> wrote:
>>>>>
>>>>>>  Dear all,
>>>>>>
>>>>>>
>>>>>>
>>>>>> This is a call for consensus directed to WG participants to have the
>>>> curve
>>>>>> 25519 draft provided by Trevor Perrin [1] to become a W3C Working
>>>> Draft, in
>>>>>> the Web Crypto WG.
>>>>>>
>>>>>> That draft has been discussed with WG members during an informal call
>> on
>>>>>> the 18th of August [2]. We decided not to make decision to endorse
>> curve
>>>>>> 25519 in the web crypto API, but rather see it as a candidate for our
>>>>>> extension/errata process.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Please answer to this call for consensus before the 5th of December
>>>> 23:59
>>>>>> UTC :
>>>>>>
>>>>>> -          Indicate in a reply mail (+1) if you agree
>>>>>>
>>>>>> -          Indicate in a reply mail (-1) if you object
>>>>>>
>>>>>>
>>>>>>
>>>>>> While explicit consent is preferable, silence means endorsement (+1)
>> of
>>>>>> this decision to have this draft becoming a W3C Working Draft.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Virginie
>>>>>>
>>>>>> Chair of  Web Crypto WG
>>>>>>
>>>>>>
>>>>>>
>>>>>> [1]
>>>>>>
>>>>
>> http://htmlpreview.github.io/?https://github.com/trevp/curve25519_webcrypto/blob/master/Curve25519_WebCrypto.html
>>>>>>
>>>>>> [2] http://www.w3.org/2014/08/18-crypto-minutes.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  ------------------------------
>>>>>> This message and any attachments are intended solely for the
>> addressees
>>>>>> and may contain confidential information. Any unauthorized use or
>>>>>> disclosure, either whole or partial, is prohibited.
>>>>>> E-mails are susceptible to alteration. Our company shall not be liable
>>>> for
>>>>>> the message if altered, changed or falsified. If you are not the
>>>> intended
>>>>>> recipient of this message, please delete it and notify the sender.
>>>>>> Although all reasonable efforts have been made to keep this
>> transmission
>>>>>> free from viruses, the sender will not be liable for damages caused
>> by a
>>>>>> transmitted virus.
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>
Received on Friday, 21 November 2014 01:30:02 UTC