RE: W3C Web Crypto - bugs to be fixed for next version : a proposal from Jim Schaad on 2014-01-25 (public-webcrypto@w3.org from January 2014)

From: Jim Schaad <ietf@augustcellars.com>
Date: Sat, 25 Jan 2014 06:51:25 -0800
To: "'GALINDO Virginie'" <Virginie.GALINDO@gemalto.com>, <public-webcrypto@w3.org>
Message-ID: <00b201cf19dc$ec74c990$c55e5cb0$@augustcellars.com>
Mark & Ryan,

 

Ok - I have attempted to start discussions on four different bugs that
Virginie put into the category of "The following bugs require a technical
decision or further discussions. I am suggestion that we fix the 15
following bugs *before* we go for Last Call."   In all of these cases I
basically got back the answer that we know what the decision is.  

 

Would it be possible for you to go through the list of issues in this
section and assign one of the following three categories to each of the
bugs:

 

1.        A decision has been made and the document needs to reflect that
decision

2.       A decision has been made and there are no document changes needed
for that decision

3.       A decision still needs to be made.

 

This would allow us to have a fast call on all of the items in 2 to close
them and we could start having the necessary discussion on all of the items
in 3.

 

Jim

 

 

From: GALINDO Virginie [mailto:Virginie.GALINDO@gemalto.com] 
Sent: Monday, January 06, 2014 8:31 AM
To: public-webcrypto@w3.org
Subject: W3C Web Crypto - bugs to be fixed for next version : a proposal

 

Hi all,

 

As part of our previous call, I had the action to bring to the WG a straw
man proposal for listing bugs to be fixed for next version of the Web Crypto
API. The next version will go for Last Call. 

 

My understanding is that the following bugs are editorial ones or
clarifications with low impact. I suggest we park them and address them
*after* we go for Last Call. 

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=24172> Bug 24172 -
Parameters listed for importKey() should include the hash

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23242> Bug 23242 -
Registered algorithms table does not list wrapKey/unwrapKey

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23504> Bug 23504 - IDLs for
DH and ECDH

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22548> Bug 22548 - Specify
the "normalization" rules for reflecting keyUsage

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23833> Bug 23833 - Remove
sequence IDL keyword from parameters that take CryptoOperationData

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22571> Bug 22571 - Invalid
IDL - Dictionary members as attributes

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22639> Bug 22639 -
Clarification on "raise an error" in RSAES-PKCS1-v1_5

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23013> Bug 23013 -
extractable and keyUsages under specified for Asymmetric algorithms
(duplicated with  <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23695> Bug
23695 - Clarify how "extractable" applies to keypairs)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23786> Bug 23786 - Please
specify a mapping between WebCrypto AlgorithmIdentifiers and pkcs-1 ones

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23017> Bug 23017 - Specify
numeric algorithm parameters with [EnforceRange] (duplicated with
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=23779> Bug 23779 - Integral
Algorithm dictionary members use EnforceRange inconsistently)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23097> Bug 23097 -
Underspecified behavior of verify() with regards to truncated signature
(truncation will be specified)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23159> Bug 23159 -
Inconsistent "length" property when generating keys (bits vs bytes)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23499> Bug 23499 - Add a
note to AES-CBC/AES-CFB and add AES-PSM?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23655> Bug 23655 -
Clarification: is BigInteger [] considered zero? ([] == 0x00)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23051> Bug 23051 -
Attributes on KeyPair should be readonly

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23762> Bug 23762 -
Importing rich key formats doesn't play well with default arguments
(proposed resolution, key usage is a mandatory attribute)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23728> Bug 23728 -
CryptoOperationData can be mutated during operation (proposed resolution,
clarify to make a copy)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22992> Bug 22992 - Invalid
IDL for HmacKeyParams dictionary

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23098> Bug 23098 - Specify
algorithm normalization when reflected to key.algorithm (are generation
parameters dropped?)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22598> Bug 22598 - Methods
do not contain the test for their own key usage.

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23662> Bug 23662 -
InvalidAlgorithmError is unspecified

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23660> Bug 23660 -
Algorithm normalizing rules issues

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23501> Bug 23501 - PBKDF2
Parameter Warning?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23496> Bug 23496 -
Informative note about developer expectation re user access to decrypted
data?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23043> Bug 23043 -
derivedKeyType is unreferenced

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22546> Bug 22546 - Make
AesCtrParams.counter an ArrayBufferView (seems to be fixed now)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22977> Bug 22977 - The text
for verify references CryptoOperation (which no longer exists)

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22860> Bug 22860 - The
"registration" table for RSASSA-PKCS1-v1_5 is missing Import/Export

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=18925> Bug 18925 -
Highlight algorithm-specific security considerations

 

The following bugs require a technical decision or further discussions. I am
suggestion that we fix the 15 following bugs *before* we go for Last Call.

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=19416> Bug 19416 - KeyUsage
should be explicitly spelled out as an enforced parameter

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=24056> Bug 24056 -
Algorithms supporting encrypt/decrypt should also support wrap/unwrap

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22677> Bug 22677 - wrapKey
requires encrypt key usage

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=20611> Bug 20611 - Specify
the text encoding for JWK key format

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23954> Bug 23954 - Please
specify RsaOaepParams label semantics

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23498> Bug 23498 - Should
the nonce, IV, and associated data be separated?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=19705> Bug 19705 - Default
value of keyUsage is not very useful

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=22570> Bug 22570 - AES-GCM
should provide distinct inputs/outputs for the tag

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=21435> Bug 21435 - Specify
whether algorithm parameters are required for AES CBC & CTR importKey

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23831> Bug 23831 - add
HMAC-SHA1 to the list of recommended algorithms

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23445> Bug 23445 - typo
with BigInteger?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23500> Bug 23500 - Raw AES
access? 

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23729> Bug 23729 - Key
usages future compatibility

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23503> Bug 23503 - Should
algorithms (ECC in particular) be extensible?

 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23495> Bug 23495 - Should
an informative note mention that entropy is expected? (and an error defined
?)

 

To all, 

what do you think about that prioritization ? If you agree, please feel
concerned by those bugs and suggest solution to the editors (they need you,
you remember !). 

 

Editors, 

Note that I have been created this list based on F2F meeting minutes and my
understanding when reading bugs, so please do not hesitate to correct if you
disagree with my categorization. 

 

Regards,

Virginie

 

  _____  

This message and any attachments are intended solely for the addressees and
may contain confidential information. Any unauthorized use or disclosure,
either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for
the message if altered, changed or falsified. If you are not the intended
recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission
free from viruses, the sender will not be liable for damages caused by a
transmitted virus
Received on Saturday, 25 January 2014 14:53:27 UTC