Re: Bug #23500 - Raw AES Access? from Ryan Sleevi on 2014-01-25 (public-webcrypto@w3.org from January 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 24 Jan 2014 16:09:27 -0800
To: Jim Schaad <ietf@augustcellars.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvYbQtuFUCy6oO1tY6F_roMfCbcL7a3K4ZZq2cjrR5TT4g@mail.gmail.com>

Bad idea because again, people are not skilled enough?

I just want to make sure we have consistent criteria regarding the
acceptance/rejection of an algorithm. And, of course, regardless of
specification, there's a question of "Who will implement it if it's
exposed" and "Can it accomplish the goal" (of supporting polyfills).

I'm particularly hesitant towards that last one - I don't think, at least
for the algorithms given, it's reasonably possible to implement secure
polyfills using such a primitive.

I also think any AES primitive would argue for a different interface of
sorts, since the primitive case generally has different performance
requirements than the "composed" case. eg: consider 'optimized'
implementations of AES-GCM, AES-CTR, or even AES-CBC - which use some form
of pre-computation or inter-leaving that the current interface wouldn't
support.

Anyways, I'm not particularly advocating "raw" AES in the first draft, but
neither am I willing to write it off, especially under the basis of "people
will get it wrong", since such a discussion is structurally equivalent to
arguing for VRML over WebGL.

On Fri, Jan 24, 2014 at 2:36 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> Strictly because other people are not skilled enough.  This can easily be
> fixed by adding AES-ECB but that just seems to be a bad idea.
>
>
>
> Jim
>
>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi@google.com]
> *Sent:* Friday, January 24, 2014 2:21 PM
> *To:* Jim Schaad
> *Cc:* public-webcrypto@w3.org
> *Subject:* Re: Bug #23500 - Raw AES Access?
>
>
>
> Jim,
>
>
>
> If I can make sure I understand your objection, it's because you don't
> think other people are skilled enough, nor do you believe polyfills are a
> valid use case?
>
>
>
> On Fri, Jan 24, 2014 at 2:09 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
>
> I have a problem with dealing with this issue.  While I agree that it
> might be useful to allow for having raw ECB access to block encryption
> processes.  I think that the drawbacks of people actually have access to
> the ECB mode and thus getting things wrong is probably too great to allow
> for this.  I think this is one of those cases where if you want to get a
> funny block mode then forcing an implementer to also provide the block
> encryption algorithm as well is probably worthwhile.
>
>
>
> I would say that this bug should be closed with no action.
>
>
>
> Jim
>
>
>
>
>

Received on Saturday, 25 January 2014 00:09:55 UTC