[Bug 25607] Need to advise authors about security considerations from bugzilla@jessica.w3.org on 2014-07-01 (public-webcrypto@w3.org from July 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 01 Jul 2014 19:41:43 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25607-7213-aq52tdKACS@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607

--- Comment #27 from Harry Halpin <hhalpin@w3.org> ---
(In reply to Mark Nottingham from comment #19)
> (In reply to Ryan Sleevi from comment #17)
> > I strongly object/oppose this. You are the only person in this WG advocating
> > MD2/MD5. You're proposed inclusion is seemingly an attempt to circumvent any
> > WG discussion of these, by trying to include a normative note that precludes
> > their use.
> 
> Rather than trying to ascribe motives here, I think everyone would benefit
> from this issue actually being discussed in the WG, full stop.
> 
> According to its home page, this WG hasn't had a meeting since 03 March
> (although I see unreferenced minutes in the archive from 05 May). There has
> been very little discussion of this issue on the mailing list beyond a
> back-and-forth between Ryan and Rich, despite the WG listing 70 participants
> in Good Standing. 
> 
> In fact, the only other WG discussion I can find on this issue (beyond Harry
> and Virginie's much-appreciated attempts to mediate an outcome) is Richard
> Barnes' comment:
>   http://lists.w3.org/Archives/Public/public-webcrypto/2014May/0037.html
> ... which seems to support an addition along the lines that Rich proposed.
> 
> Did I miss something?

Mark,


The unreferenced minutes was from an informal chair/editors discussion. 

The Working Group, at the suggestion of the implementers, moved into what is
known as a "bugzilla workmode". However, we will have a meeting, as stated by
Virginie, to go through the all the proposals from Last Call where there has
not been an agreed upon solution thought out. That meeting will happen after
the July 12th deadline for textual changes, so there's still time to try to see
if we can get some text everyone agrees on. 

I would note that (not sure if Rich noticed this) that his comments have had a
very positive effect on the document. At least in the version I'm looking at,
RSAES-PKCS1-v1.5 has been removed from even the "registered" algorithms.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 1 July 2014 19:41:45 UTC