RE: On Registries

On Aug 7, 2014 7:31 PM, "Mike Jones" <Michael.Jones@microsoft.com> wrote:
>
> Thanks for your insightful reply, Mark.  A few comments inline below…
>
>
>
> From: Mark Watson [mailto:watsonm@netflix.com]
> Sent: Thursday, August 07, 2014 6:02 PM
> To: Mike Jones
> Cc: Ryan Sleevi; public-webcrypto@w3.org
> Subject: Re: On Registries
>
>
>
> On Thursday, August 7, 2014, Mike Jones <Michael.Jones@microsoft.com>
wrote:
>
> Simple.  In the first case, the algorithm is a data value.  In the second
case, it’s encoded in an API.  Data values are easily extensible.  APIs are
not.  That’s why extending the space of algorithms by registering new data
values makes a world of sense.  Expending the algorithms by adding new APIs
for each would be clunky, procedurally slow, and mostly unworkable.
>
> I think what Ryan is saying is that it should be no easier to add an
algorithm than it is to add a new API (or, more strongly, that a new
algorithm *is* a new API and _therefore_ should be no easier to add).
>
>
>
> I believe you’ve accurately identified the heart of the disagreement
here, Mark.
>
>
>
> IF we decided that it should be easier than this to add new algorithms
and especially if we decided that groups other than W3C Working Groups
should be able to do so, then a registry makes sense as a mechanism to
coordinate that.
>
>
>
> Agreed.
>
>
>
> Otherwise (which is where we are now), then the definitive list of
algorithms is to be found in the sum total of the output of the W3C
WebCrypto Working Group and nowhere else.
>
>
>
> If we decide that he definitive list of algorithms is only to be produced
by the W3C WebCrypto Working Group, I believe that would be a significant
missed opportunity.  The WebCrypto API is an exercise in packaging
algorithms developed by cryptographers for use by Web developers, just like
JOSE is.  Neither working group’s primary expertise is cryptography.
Cryptographers should be the ones to write the extensions specs defining
new algorithms – not us.  Some of those may occur in the W3C but some may
occur in the IETF and some may be individual drafts by people such as Dan
Bernstein, David McGrew, and Brian LaMacchia.
>
>
>
> We would be doing the WebCrypto API and the Web a significant disservice
if we don’t enable people other than us to define and register new
algorithms for use with WebCrypto.  We should be humble enough to recognize
that defining new crypto algorithms is not our expertise and let those who
are experts define them for use with our spec, no matter where they choose
to do the work.
>
>

I agree with the sentiment that anyone should be able to write definitions
for algorithms, and am excited to see Trevor's Curve25519 draft.

I disagree with the sentiment that it should happen outside the W3C. To do
so is to return to the browser wars, where both Microsoft and Mozilla,
though well motivated, wrecked great harm through "embrace, extend,
extinguish" and the introduction at large of new vendor-specific APIs,
often without specs (or without free licensing, or with great patent
encumbrance, or through active hostility towards other UAs efforts to
interop)

The W3C (and the WHATWG) exist to help prevent that terrible harm from ever
happening again. The way to do that is by having multiple UAs coordinate
and ship features responsibly, to agree on specifications, and to avoid
vendor lock-in.

Regardless of this group's cryptographic expertise, which i agree is
unfortunately lacking, we are filled with UA implementors, the sole
entities with the power to make - or break - the web; For developers, for
other UA implementors, and most importantly, for users, for this generation
of the web and those to come. For that, there can and should be no
alternative - we must agree, as UAs, and the W3C exists precisely to
support and guide that agreement.