Re: Registries and Interoperability

On 02/07/2013 10:48 PM, Arun Ranganathan wrote:
> On Feb 7, 2013, at 12:27 PM, Harry Halpin wrote:
>> No, the process I suggested generally would involve handing off after 
>> the lifetime of a WG the following two items:
>> 1) maintaining security considerations per identifier to the CFRG, 
>> which operate on a public list
>> 2) maintaining requests for a new algorithm identifiers in a public 
>> registry, with requests on a public list and the test-cases being 
>> publican accessible.
>> Some may consider this sensible as the crypto landscape does change 
>> and will thus likely change after the lifespan of this WG.
> It is true that much of the process behind WebApps and HTML is 
> bolstered by the fact that we don't envision these WGs as ever really 
> "closing" (which might be like saying the web's done).  I'm wondering 
> if W3C might be amenable to another model that doesn't involve 
> re-chartering a WG, but does allow for spec and/or document 
> maintenance, which is what draws me to the WHATWG, which is another 
> option, if there's a willing editor.
> For instance, new identifiers (2. above) reminds me of the potentially 
> ongoing problem of DOMException and DOMError.  Both WHATWG DOM Spec 
> [1] and the DOM4 [2] specification in W3C cite the W3C Bug Database as 
> a way of adding new exception codes, if necessary (the latest added 
> one comes from File API, namely EncodingError).   I'm not sure we can 
> totally classify DOMException and DOMError as "done" for all time.  I 
> think it's likely to be the same with Web Crypto, since saying 
> anything security related is "done" is unwise, as is the assumption 
> that further algorithms won't proliferate.
> Instead of a registry, can we do something like active bug 
> discussions, and keep *public active?  This is what makes WHATWG 
> attractive, but I understand that patent considerations might limit 
> the merits of merely migrating there.

When a WG closes, public-webcrypto@w3.rg closes as the WG is closed. The 
comments list can stay open.

My feeling here is that of course we can keep the Bug Database open, and 
I hope we do so, as well as the test-suite.

However, that's not the cases that have been brought up. The two cases are:

1) A web developer wants to see if a new experimental algorithm 
identifier can be added. That could be done in the Bugzilla, but that 
might be hard to discover/reference amongst other bugs - and then text 
needs to be clear about that as a use of the Bugzilla. A registry might 
be easier. But maybe not.

2) A web developer needs to know the security considerations for an 
algorithm identifier. I think CFRG should handle that rather than our 
API, and we should explicitly point to them in our API documents as well 
as the "larger cryptographic literature".

Again, having W3C liason with CFRG, IANA, and so on takes time, which is 
why this is being brought up now :) W


> -- A*
> [1] "Note: If an error name is not listed here, please file a bug as 
> indicated at the top of this specification and it will be addressed 
> shortly. Thanks!"
> [2] "If an error name is not listed here, please file a bug as 
> indicated at the top of this specification and it will be addressed 
> shortly. Thanks!" 

Received on Friday, 8 February 2013 19:30:39 UTC