[Bug 25607] Need to advise authors about security considerations from bugzilla@jessica.w3.org on 2014-06-19 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 19 Jun 2014 19:23:41 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25607-7213-MMcvyI9k1a@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607

--- Comment #14 from Ryan Sleevi <sleevi@google.com> ---
(In reply to Harry Halpin from comment #13)
> The term "recommended" has caused continual confusion by the public in the
> two sense of recommendeed for implementation vs. recommended for new
> protocols. I believe one suggestion was to use "Suggested for interoperable
> implementation".
> Rich and Ryan, would that help?
> 
> So we could replace "18.2. Recommended algorithms" -> "18.2. Suggested
> algorithms for interoperability"
> 
> "Thus users of this API should check to see what algorithms are currently
> recommended and supported by implementations" ->
> "Thus users of this API should check to see what algorithms are currently
> supported by implementation. At the state of this publication,
> interoperability is given by the test-suite available at @@."
> 

Harry,

I would ask the same thing I asked of Rich: That you review the ED that was
published and proposed as a resolution for this issue.

Your reference to 18.2 suggests you are looking at the WGLC, which is not
really helpful for the discussion here.

For example,
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#algorithm-recommendations

"Recommendations
20.5.2 For Implementers

In order to promote interoperability for developers, this specification
includes a list of suggested algorithms"

That is, the term "recommended algorithms" does not appear within the spec, as
it stands, at all.

Additionally, a significantly expanded section in 20.5.1 has been added that
clarifies, for authors, the need to read security considerations are. It
incorporates all of the concerns raised on this bug, without the factually
incorrect and misleading statement of "insecure".

Finally, the "Security Considerations" itself has been significantly beefed up,
as described in
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#security-developers

And if that horse was not so thoroughly beaten to glue by now, as a result of
this bug, the algorithm overview (link broken at the moment) contains yet
another "scary warning" as a note - "Application developers and script authors
should not interpret this table as a recommendation for the use of particular
algorithms. Instead, it simply documents what operations are supported. Authors
should refer to the Security considerations for authors section of this
document to better understand the risks and concerns that may arise when using
certain algorithms."

This is why, editorially, I believe this issue has been addressed, with the
exception of the Security References, which I continue to assert is a pointless
exercise.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 19 June 2014 19:23:42 UTC