- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 12 May 2014 12:00:15 +0200
- To: "Salz, Rich" <rsalz@akamai.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rich,
I think Ryan's already responded to these comments, although thanks
for the filing the bug.
Do you view these comments as "formal objection"?
To clarify, that's a special term in W3C process, see here for a
definition:
"A Formal Objection to a group decision is one that the reviewer
requests that the Director consider as part of evaluating the related
decision (e.g., in response to a request to advance a technical
report). Note: In this document, the term "Formal Objection" is used
to emphasize this process implication: Formal Objections receive
Director consideration. The word "objection" used alone has ordinary
English connotations." [1]
Basically, it means you think its *really important*, so that it
should be discussed with the Director (Tim Berners-Lee) as we exit
Last Call.
While your comment does go conflict previous WG decisions and we can't
obviously list per-algorithm security considerations for every
possible primitive in a changing world where most security
considerations have to deal with their combinations in terms of
protocols, it is possible that the word "Recommended" could cause
confusion insofar as people may interpret it as "recommended for new
protocols" rather than "recommended for interoperability reasons".
Obviously, only in terms of new protocols is where the "don't release
weak crypto" arguments do apply, even though we hope that people do
not implement new protocols but instead ones that have a security
review, such as given by the IETF, as Ryan has explained.
Both the editor and WG have taken this comment on board and hopefully
you will be able to live with our resolution.
cheers,
harry
[1]
http://www.w3.org/2003/06/Process-20030618/policies.html#WGArchiveMinorityViews
On 05/08/2014 05:29 PM, Salz, Rich wrote:
> I just opened https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607,
> "Need to advise authors about security considerations"
>
> As it says in the entry, "This defect is in collaboration with
> Kenny Paterson. I believe that taking the fixes below will also
> address 18925, 23499, 25431 (maybe, by lack of use:), 25569."
>
> The number of changes that need to be made is small, non-intrusive,
> and hopefully not controversial. In addition to Kenny, thanks to
> Ryan for an interesting discussion (albeit mostly via twitter :).
>
> /r$
>
> PS: As I am not on this list, please CC me on any replies.
>
> -- Principal Security Engineer Akamai Technologies, Cambridge, MA
> IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTcJuvAAoJEPgwUoSfMzqc2nMP/1RX27jhclhNdg+HYZN06NuS
9Uetn22DBbs7/z5ZeaYC/B53GgtyvvJMn3oI8sgomzVkEPlRveP/JYU/oyZhZ63O
A7UFW8yINUV2IkAzTsAdRH28CZup/meTwJSBV+NTWbUmN5IajgaDnjqyl4tx42xI
/XaY3taJSjudEt7yUj7dTFN5QxTgq78UAUDkrV7pHXaY+xqjxtOpmgSpTcteG/wD
8lZ31VOGYUmwZB1DJIb9iF71MANQNaPZoGJpQ8B68sw+umb/lo7vRZwiOTmiUdrZ
NJjaKGKTj/KjlhOu5kmg5A60GwxHfDW9mgQrnjTxs2q1A4euoEv8vNSduL+Ik0TM
436N2APtsAsQ+9KXO9KIrsgiUOaat+7hRt1izcjKkupYQzfZiRsf/4TfPR+FgBGC
E3cMycNBnMIa7xdRWXk+T1PcWm3JqWf4oIagv/VnOMATg5q+PAv7sPcEcqsG7/Sz
Q3IGMmh21SfTbzZ+DJuvKTfIhmmykwgafQLeycW9HdCoZDMFI4ZQ6SrXHZDcJ0K4
45ddH7MU8xzpmSQwZfhStYdCkOX5a13VFzZ47u/JYBGVQ5V+lMhUlWww0Oc8+2EL
CcbNB/cZpwiCuHy4vyzC59MrpByY8iOhxPMuMGFIu0PsItXwgbtaR6B5DO5ZTyvM
t4aPy+BlUts6zGO5VNrA
=mWWB
-----END PGP SIGNATURE-----
Received on Monday, 12 May 2014 10:00:24 UTC