RE: On Registries

Ryan, it seems that your primary motivation here is preventing things that could go wrong.  Mine is enabling things that can go right.

I find it hypocritical that you’ll happily use the IANA Registry to extend JWK for use by WebCrypto in http://www.w3.org/TR/WebCryptoAPI/#iana-section but you’re unwilling to admit that enabling the IETF or others to similarly extend WebCrypto would likewise be a good thing.

The IETF is happy to have others extend the Internet in a principled fashion.  Why are you so afraid to let the IETF or others extend the Web in a similarly principled fashion?

JWK is stronger because WebCrypto can extend it.  It’s better for WebCrypto, better for JOSE, and better for the Internet.  WebCrypto and the Web would be similarly stronger if others outside the W3C could extend it.  So let’s make it happen!

I’ll be happy continue to advocate that it’s more important to WebCrypto and the W3C to enable responsible extensions by all, even though it may scare you, than to maintain a closed spec and closed process that only one organization can extend.  I believe that openness in this respect is “on the right side of history”.

                                                            -- Mike

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Thursday, August 07, 2014 8:12 PM
To: Mike Jones
Cc: Mark Watson; public-webcrypto@w3.org
Subject: RE: On Registries


On Aug 7, 2014 7:56 PM, "Mike Jones" <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
>
> Replies about the W3C’s positive role in ensuring quality of algorithm registry entries inline at the end of this message…
>
>
>
> From: Ryan Sleevi [mailto:sleevi@google.com<mailto:sleevi@google.com>]
> Sent: Thursday, August 07, 2014 7:44 PM
> To: Mike Jones
> Cc: Mark Watson; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
> Subject: RE: On Registries
>
>
>
> On Aug 7, 2014 7:31 PM, "Mike Jones" <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
> >
> > Thanks for your insightful reply, Mark.  A few comments inline below…
> >
> > From: Mark Watson [mailto:watsonm@netflix.com<mailto:watsonm@netflix.com>]
> > Sent: Thursday, August 07, 2014 6:02 PM
> > To: Mike Jones
> > Cc: Ryan Sleevi; public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
> > Subject: Re: On Registries
> >
> > On Thursday, August 7, 2014, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
> >
> > Simple.  In the first case, the algorithm is a data value.  In the second case, it’s encoded in an API.  Data values are easily extensible.  APIs are not.  That’s why extending the space of algorithms by registering new data values makes a world of sense.  Expending the algorithms by adding new APIs for each would be clunky, procedurally slow, and mostly unworkable.
> >
> > I think what Ryan is saying is that it should be no easier to add an algorithm than it is to add a new API (or, more strongly, that a new algorithm *is* a new API and _therefore_ should be no easier to add).
> >
> > I believe you’ve accurately identified the heart of the disagreement here, Mark.
> >
> > IF we decided that it should be easier than this to add new algorithms and especially if we decided that groups other than W3C Working Groups should be able to do so, then a registry makes sense as a mechanism to coordinate that.
> >
> > Agreed.
> >
> > Otherwise (which is where we are now), then the definitive list of algorithms is to be found in the sum total of the output of the W3C WebCrypto Working Group and nowhere else.
> >
> > If we decide that he definitive list of algorithms is only to be produced by the W3C WebCrypto Working Group, I believe that would be a significant missed opportunity.  The WebCrypto API is an exercise in packaging algorithms developed by cryptographers for use by Web developers, just like JOSE is.  Neither working group’s primary expertise is cryptography.  Cryptographers should be the ones to write the extensions specs defining new algorithms – not us.  Some of those may occur in the W3C but some may occur in the IETF and some may be individual drafts by people such as Dan Bernstein, David McGrew, and Brian LaMacchia.
> >
> > We would be doing the WebCrypto API and the Web a significant disservice if we don’t enable people other than us to define and register new algorithms for use with WebCrypto.  We should be humble enough to recognize that defining new crypto algorithms is not our expertise and let those who are experts define them for use with our spec, no matter where they choose to do the work.
> >
>
> I agree with the sentiment that anyone should be able to write definitions for algorithms, and am excited to see Trevor's Curve25519 draft.
>
> I disagree with the sentiment that it should happen outside the W3C. To do so is to return to the browser wars, where both Microsoft and Mozilla, though well motivated, wrecked great harm through "embrace, extend, extinguish" and the introduction at large of new vendor-specific APIs, often without specs (or without free licensing, or with great patent encumbrance, or through active hostility towards other UAs efforts to interop)
>
>
>
> The W3C (and the WHATWG) exist to help prevent that terrible harm from ever happening again. The way to do that is by having multiple UAs coordinate and ship features responsibly, to agree on specifications, and to avoid vendor lock-in.
>
> Regardless of this group's cryptographic expertise, which i agree is unfortunately lacking, we are filled with UA implementors, the sole entities with the power to make - or break - the web; For developers, for other UA implementors, and most importantly, for users, for this generation of the web and those to come. For that, there can and should be no alternative - we must agree, as UAs, and the W3C exists precisely to support and guide that agreement.
>
>
>
>
>
> Suggesting that using a responsibly managed registry would be a return to the “browser wars” or that features would be shipped without specifications is hyperbole.  I’m only advocating a specification-required registry with expert review.  The W3C would appoint the appropriate experts to ensure that the specifications registering algorithms are clear and well-written and meet any other criteria decided by the W3C.  The W3C can ensure the quality of registered algorithms without having to write all the drafts itself.  It’s unnecessary and detrimental hubris to think that we’re the only ones qualified to do so.
>
>
>
>                                                             -- Mike

Expert Review is exactly the detrimental sort of stuff that got us into this.

The W3C REC track is exactly that. A path for _anyone_ to write specs, submit them to the WG, for UAs and users to agree in interest, and to develop and publish such specifications with clear views on patents, interoperability, and applicability to the web.

No single expert is qualified to reflect consensus of a multi-stakeholder UA community, which is a fundamental and nonnegotiable portion of any Web API.

So if we talk a panel of experts, who are they? Well, we probably want some UAs, those are essential. We probably need some cryptographers, since security is key. We should hear from developers, since this matters to them. And we should probably have a few representatives from the public.

And suddenly, you have an Expert Panel that is indistinguishable in form or function from a WG. And without having to reinvent a process for that review.

Any solution that fails to go through the W3C/WHATWG process is, in spirit and effect, a return to the browser wars - including the designation of sole experts (which the W3C also has readily available if this WG should ever need - the TAG and AB)

Received on Friday, 8 August 2014 04:20:55 UTC