[Bug 25607] Need to advise authors about security considerations from bugzilla@jessica.w3.org on 2014-06-17 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 17 Jun 2014 17:22:24 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25607-7213-2QSeFYxSJg@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607

--- Comment #12 from Ryan Sleevi <sleevi@google.com> ---
(In reply to Rich Salz from comment #11)
> I read the commit diff and nothing in it addresses any of the issues raised
> here:
>      The misleading term "recommended" is still used.
>      There is no section on security references
>      Specific guidance about avoiding known-bad mechanisms is not present

Please review the editor's draft
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html (in
particular, the change from
https://dvcs.w3.org/hg/webcrypto-api/file/71498804a64d/spec/Overview.html )

The language that was incorporated was language from Vijay that you had
(seemingly) agreed met your requirements.

To your specific points:
- The misleading term "recommended" is still used.
  - Please review the editor's draft. In particular, see
https://dvcs.w3.org/hg/webcrypto-api/raw-file/71498804a64d/spec/Overview.html#algorithm-recommendations

  The term "recommended" has a particular meaning in the specification world,
not just the security world, and given as this is a specification, it's used to
signify just that - recommended for implementers of this spec.

- There is no section on security references
  - I believe we're at a WONTFIX here, because we've identified that the spec
is not a place to discuss these

- Specific guidance about avoiding known-bad mechanisms is not present
  - Please review the editor's draft. In particular,
https://dvcs.w3.org/hg/webcrypto-api/raw-file/71498804a64d/spec/Overview.html#algorithm-recommendations

>
> If you insist on putting it into RESOLVED state, the honest thing to do is
> make it WONTFIX.

There has certainly been every effort to understand and respect your concerns.
Additionally, multiple explanations have been provided as to why some of these
concerns are out of scope or inappropriate for this spec.

I encourage you to read the editor's draft, as a whole, at
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html - as well
as review the log - https://dvcs.w3.org/hg/webcrypto-api/log

This bug contains many elements that are duplicate with already existing bugs
(as you note), and so other elements of concern have been addressed separately,
in those bugs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 17 June 2014 17:22:25 UTC