- From: <bugzilla@jessica.w3.org>
- Date: Thu, 19 Jun 2014 14:48:00 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607
Harry Halpin <hhalpin@w3.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hhalpin@w3.org
--- Comment #13 from Harry Halpin <hhalpin@w3.org> ---
(In reply to Ryan Sleevi from comment #12)
> (In reply to Rich Salz from comment #11)
> > I read the commit diff and nothing in it addresses any of the issues raised
> > here:
> > The misleading term "recommended" is still used.
> > There is no section on security references
> > Specific guidance about avoiding known-bad mechanisms is not present
>
> Please review the editor's draft
> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html (in
> particular, the change from
> https://dvcs.w3.org/hg/webcrypto-api/file/71498804a64d/spec/Overview.html )
>
> The language that was incorporated was language from Vijay that you had
> (seemingly) agreed met your requirements.
>
> To your specific points:
> - The misleading term "recommended" is still used.
> - Please review the editor's draft. In particular, see
>
> The term "recommended" has a particular meaning in the specification
> world, not just the security world, and given as this is a specification,
> it's used to signify just that - recommended for implementers of this spec.
The term "recommended" has caused continual confusion by the public in the two
sense of recommendeed for implementation vs. recommended for new protocols. I
believe one suggestion was to use "Suggested for interoperable implementation".
Rich and Ryan, would that help?
So we could replace "18.2. Recommended algorithms" -> "18.2. Suggested
algorithms for interoperability"
"Thus users of this API should check to see what algorithms are currently
recommended and supported by implementations" ->
"Thus users of this API should check to see what algorithms are currently
supported by implementation. At the state of this publication, interoperability
is given by the test-suite available at @@."
That may also help the bugs about interoperability being raised elsewhere.
>
> - There is no section on security references
> - I believe we're at a WONTFIX here, because we've identified that the
> spec is not a place to discuss these
>
> - Specific guidance about avoiding known-bad mechanisms is not present
> - Please review the editor's draft. In particular,
> https://dvcs.w3.org/hg/webcrypto-api/raw-file/71498804a64d/spec/Overview.
> html#algorithm-recommendations
>
> >
> > If you insist on putting it into RESOLVED state, the honest thing to do is
> > make it WONTFIX.
>
> There has certainly been every effort to understand and respect your
> concerns. Additionally, multiple explanations have been provided as to why
> some of these concerns are out of scope or inappropriate for this spec.
>
> I encourage you to read the editor's draft, as a whole, at
> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html - as
> well as review the log - https://dvcs.w3.org/hg/webcrypto-api/log
>
> This bug contains many elements that are duplicate with already existing
> bugs (as you note), and so other elements of concern have been addressed
> separately, in those bugs.
As regards the larger issue of security recommendations, see the messae from
Virginie Gallindo:
http://lists.w3.org/Archives/Public/public-webcrypto/2014Jun/0130.html
I still think precise text (that we would need to formulate) would need to
dealt with either via a reference or informative note (although possibly big
red flag) in the "Securiy Considerations" section. Alternatively, we could try
to revisit and re-open the per algorithm listing. Rich, do you any preference?
We need a very concrete proposal, ideally with precise text changes. Would
Graham or Kenny be able to make a text-level proposal?
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 19 June 2014 14:48:02 UTC