General update on CR and test-suite from hhalpin on 2016-02-22 (public-webcrypto@w3.org from February 2016)

From: hhalpin <hhalpin@w3.org>
Date: Mon, 22 Feb 2016 05:56:30 -0500
To: public-webcrypto@w3.org
Message-ID: <98df9d15f5db0b0ae9616ca7a6cd91aa@webmail.w3.org>

Since we have some new members, here's the current state of play to 
update (and old members know this already, but you may want to swap it 
in before the call).

The goal of getting to CR is to make the spec reflect accurately the 
reality. Each underlying feature should have two independent 
implementations, which in our case is two independent browser teams (so 
Chrome on Android and Chrome on Windows don't count, but Chrome on 
Android vs. Edge on Windows counts).

* Getting to CR:

First, we have to resolve two formal objections. We have already sent a 
list of attacks made by Graham Steel (INRIA) to IRTF [1] and so we just 
need to add a reference to that for the spec and I need to give it a 
quick update to reflect latest rounds of comments and another 
INRIA/ENISA internal review. The second is to determine the state of 
play with non-NIST curves, i.e. most likely Curve25519 in terms of 
implementation. Unless two browsers have committed to implementing 
Curve25519 and revealing to WebCrypto, then we can say its still 
en-route and we'll update when that's ready, and the liaison with IRTF 
CFRG continues.

The last part is we have to show that we show for our CR *at minimum* 
that algorithms have at least two implementations. If they don't, he 
wanted them removed from the spec.

Here's my last check from Nov 2015:
https://www.w3.org/2012/webcrypto/CR-report/

Based on:
https://github.com/diafygi/webcrypto-examples/

It needs to be updated to reflect RSA-PSS support by Firefox, and we 
need to actually remove the algorithms from spec that are not being 
implemented across two or more browsers.

* Test-suite

We can also, as Ryan wants, do a much more thorough testing. For an 
example of this, see:

http://testthewebforward.org/

And then those tests are added to the HTML5 effort [2] (see test of 
randomValues for an example). I earlier wanted to do this, but currently 
browser test-suites would need to be converted, or we'd have to redo the 
tests. If I can find 2-3 people to help with this task, I'm all for it 
and pushing it hard over the next few months.

* Work mode

Up until now we were/are using W3C's repo. I migrated the spec to Github 
and suggest we migrate all issues and close the W3C's repo down for the 
final push on WebCrypto to CR.

I suggest weekly meetings to really push things over the next few months 
if people are OK with that.

Any thoughts?

   yours,
     harry

[1] 
https://datatracker.ietf.org/doc/draft-irtf-cfrg-webcrypto-algorithms/
[2] https://github.com/w3c/web-platform-tests/tree/master/WebCryptoAPI
-- 

Harry Halpin (W3C/MIT) harry@w3.org

Received on Monday, 22 February 2016 10:56:40 UTC