[Bug 25839] Curve25519 Named Curve from bugzilla@jessica.w3.org on 2014-06-25 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 25 Jun 2014 21:28:56 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25839-7213-yTcXrWRcx7@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839

--- Comment #41 from Brian LaMacchia <bal@microsoft.com> ---
(In reply to virginie.galindo from comment #39)
> Matt, Greg, Brian, Henri,
> 
> The team (chair/staff/editors) made a status this week on Web Crypto API
> Last Call and discussed a way to move forward on this bug [1]. 
> 
> There are two algorithms requested here curve 25519 (requested by users) and
> MRS curve (requested by one implementer). If we want to have them as part of
> this Working Group deliverable, we need to have some contribution,
> describing those algorithms. 
> 
> Provided the low support from implementers to those algorithms (as of today,
> only microsoft is promoting MRS curve) this makes that features at risk
> (meaning that they may disappear from the specification when we will move to
> Proposed Recommendation). The team thought that it would be more efficient
> to have those algorithms described in separate specifications. Those
> specifications, complementing the Web Crypto API would aim to be
> recommendations, following the W3C recommendation process. By choosing to
> have separate document we make sure that (1) we do not delay the Web Crypto
> API and (2) have fruitful and fair discussions around the algorithms
> description. Recommendations status relies on the fact that WG is able to
> demonstrate at least 2 implementations. As such, if any of those separate
> specification becomes a recommendation, we will manage to re-integrate it
> into the next version of the Web Crypto API. 
> 
> Based on this recommended plan, how to move forward on this bug ?
> We can associate those additional specifications to our current last call
> track, if (1) those additional specifications are available in a timeframe
> suitable to our Last Call milestones and (2) the additional specifications
> provided are agreed by the WG. As such, could you please provide the WG with
> a description of those algorithms as a separate specification, as a
> complement to the Web Crypto API. You can name it 'Web Crypto API - Curve
> 25519 algorithm' and 'Web Crypto API - MRS curve algorithm'. please make
> sure that the description is compatible with the current vocabulary and
> semantic of the main specification 'Web Crypto API'. 
>  
> We expect the additional specifications by the 11th of July (remember, we
> are in Last Call process and are targeting to solve bugs and get out of it
> asap). 
> 
> My take is that the workload will be split as follow : 
> - MRS curve -> editor may be brian
> - curve 25519 -> editor may be matt (or henri ?)
> 
> Thanks for confirming that you are volunteering to write that contribution
> and can deliver it on time. 
> 
> Virginie
> chair of Web Crypto WG
> 
> [1] http://lists.w3.org/Archives/Public/public-webcrypto/2014Jun/0151.html

Hello Virginie,

I will commit to providing text for at least the MSR curves, but we (Microsoft)
disagree with your suggestion that the bug be resolved via extension
specifications.  Our consensus opinion is that it would be much better if we
try to resolve this bug with changes to the main text.  As has been pointed out
previously, the current text in the draft implies that in order to implement
ECDSA and ECDH, one must implement all of the NIST Prime curves, and the text
in sections 18.8 and 18.9 must be modified to permit anything other than the
NIST curves to be used.  So main text edits are required to resolve this bug in
any way other than “won’t fix”.

Given all algorithms are optional, we think that we should put all of these
non-NIST curves into the main text and then choose one of the two following
positions:

1)    All curves are optional to implement, including the NIST curves
2)    NIST P-256 and NIST P-384 are mandatory-to-implement if you implement
ECDSA and/or ECDH, and everything else is optional.  (I would not argue for
P-521 to be mandatory as it’s just not used in practice anywhere.)

If we following this procedure, then additional curves may be added to the list
of named curves and we will just have to change the NIST curve-only text.  We
can add Curve25519, the MSR curves and even the Brainpool curves (as I pointed
out in my original bug comment) as a group to accommodate the various requests
that have been received.  We think that’s the best way forward.  

Assuming you agree with this revised proposal, I’ll commit to being point
person for the MSR curves and collaborating with Matt and Henri on a combined
set of edits to permit non-NIST curves to be used in Web Crypto.

Thanks,

--bal

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 25 June 2014 21:28:58 UTC