RE: "Recommended" is a bad word :) from Vijay Bharadwaj on 2014-05-13 (public-webcrypto-comments@w3.org from May 2014)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Tue, 13 May 2014 06:31:22 +0000
To: "Salz, Rich" <rsalz@akamai.com>, Ryan Sleevi <sleevi@google.com>
CC: Harry Halpin <hhalpin@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <6cd211827eed4adb9e932c30ddb0143a@DFM-CO1MBX15-08.exchange.corp.microsoft.com>

I’m not sure that is entirely fair.

I think we’d love to put a warning notice if we could figure out what such a notice could say without being misleading. This is hard.

Take your proposed text:

"The table below indicates which algorithms, and uses, are registered by this specification. A blank field means no registration, a check means registration, and a plus means registration, but that there are known security issues with that particular combination. (See Security References, below.)"

A casual reader would take this to mean that a check mark means registration with no known security issues. However, this is not a statement one can ever make in cryptography. For instance, CBC padding oracles have been “fixed” a few times already. GCM is thought to be strong but nonce reuse will break it. There are many known attacks against RC4 but every time we see a CBC attack people recommend moving to RC4. And that’s not a complete list by any means.

So we’ve opted to take the approach of saying “It’s all scary, so ask an expert.” In Section 5.2, for example:
This API includes a variety of cryptographic operations, some of which may have known security issues when used inappropriately. Application developers should take care to review the appropriate cryptographic literature before making use of certain algorithms, and should avoid attempting to develop new cryptographic protocols whenever possible.
This is very similar to your proposed warning, it just stays out of the business of providing a (necessarily incomplete) list of known issues. So, let’s get specific – is your objection to not reiterating the Section 5.2 warning in Section 18, or is it to not having an explicit list of algorithms we currently dislike? If the former, then what would your proposed text for that look like?

From: Salz, Rich [mailto:rsalz@akamai.com]
Sent: Monday, May 12, 2014 10:59 AM
To: Ryan Sleevi
Cc: Harry Halpin; public-webcrypto-comments@w3.org
Subject: RE: "Recommended" is a bad word :)

It seems pretty clear to me that there is no interest in putting any kind of ‘warning notice’ in the API doc.

--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz

Received on Tuesday, 13 May 2014 06:32:00 UTC