Re: Last call for public comments on Web Crypto charter from Richard Barnes on 2011-11-21 (public-identity@w3.org from November 2011)

From: Richard Barnes <rbarnes@bbn.com>
Date: Mon, 21 Nov 2011 09:08:46 -0500
To: Harry Halpin <hhalpin@w3.org>
Cc: public-identity@w3.org
Message-Id: <E5D13C8C-872B-4AF7-99C5-BDDDFD40F7C4@bbn.com>

Hi Harry,

I have a few comments on the Scope section.  Coming at this from the perspective of someone generally knowledgeable about crypto stuff, but new to this group.

CURRENT:
"
The primary features in scope are encryption, decryption, digital signature generation and verification, hash/message digest algorithms, confidentiality algorithms, key transport/agreement algorithms, HMAC algorithms, key pair generation, and key storage on the device. In addition, the API should be asynchronous and must prevent external access to secret material.
"
COMMENTS: 
-- It would be helpful to have a little more clarity in this text.  
-- I don't know how "confidentiality algorithms" differs from "encryption"
-- I don't know what "key transport/agreement algorithms" means in this context
-- Bullets might help readability
SUGGESTED:
"
The primary features in scope are the following:
   * Symmetric encryption and decryption 
   * Digital signature generation and verification
   * Hash / message digest algorithms 
   * HMAC algorithms
   * Generation of asymmetric key pairs
   * Secure storage for private keys and symmetric keys
"

CURRENT:
"
Secondary features might include: strong random generation, control of session login/logout, extraction of keys from TLS sessions, PKI scheme validation, destruction of temporary credentials, storage of secrets in a tamper-proof container, non-opaque key identifiers (assuming by default all key identifiers are opaque in the normal case), the availibility of multiple key containers (in either hardware or software).
"
COMMENTS:
-- I would suggest moving random number generation to the main feature list.  It's not a complicated thing to put an API to.
-- I don't know what the phrase "PKI scheme validation" means
-- Isn't "storage of secrets..." covered by the key storage bullet above?  
-- In addition to multiple key containers, you might also have multiple crypto services.  The work would seem to be about the same to implement both of these; either way you need an identify the container/service.
-- Bullets would probably help readability here too.

Hope this helps,
--Richard



On Nov 17, 2011, at 11:17 PM, Harry Halpin wrote:

> Everyone,
> 
> On next Tuesday, as said earlier, I plan to take the Web Cryptography
> charter [1] from the wiki and put it into HTML as an "official draft
> charter" then ask for preliminary feedback from the AC, before going to
> real AC review in December (thus launching Working Group in January).
> 
> So, if you have any comments, *now* is the time to send to the mailing
> list. Suggested text replacement is most welcome.
> 
>      cheers,
>         harry
> 
> [1] http://www.w3.org/wiki/IdentityCharter
>

Received on Monday, 21 November 2011 14:09:45 UTC