RE: Extensibility is a MUST for WebCrypto to leave Last Call

And here’s what I wrote in reply in BugZilla:

“Yes, I am specifically objecting to the position that extensions require an update to the base specification.  I don't believe this is the case and that's why I wrote "Our expectation is that whatever the mechanism, an extension will not impact the base specification nor compromise implementations that comply with the base spec." We can make a specification that allows extensions in defined places and the act of making those extensions changes nothing in the base spec.  Having a defined extension point in the base spec is not in any way equivalent to a forward reference to an undefined normative or informative reference. “

So, yes, I am specifically challenging the claim that extensions “always involve an update to the base specification.”  I don’t believe that.

As to your second point, as I’ve already demonstrated (and as your edits started to address), we need to make all the hard-coded algorithm lists currently in the spec extensible.  It’s not sufficient to simply say “add a new algorithm” if that means, for example, that to implement RSA-PSS with SHA-3 I have to drop in my own RSA-PSS implementation because the base spec says “SHA-1 or SHA-2 or FAIL”.

--bal

From: Mark Watson [mailto:watsonm@netflix.com]
Sent: Thursday, October 9, 2014 7:40 AM
To: Brian LaMacchia
Cc: public-webcrypto@w3.org; Mike Jones; Vijay Bharadwaj; Israel Hilerio; Anthony Nadalin
Subject: Re: Extensibility is a MUST for WebCrypto to leave Last Call

Brain,

As per my comment in the bug, the assumptions on which we made this decision are now contested. Noone is suggesting we should not be able to extend WebCrypto, but Google and Mozilla are arguing that such extensions always involve an update to the base specification.

As an aside, the specification DOES ALREADY include the extension point necessary to add new algorithms. This has been stable for some time and there is no proposal to remove it.

...Mark

On Thu, Oct 9, 2014 at 7:06 AM, Brian LaMacchia <bal@microsoft.com<mailto:bal@microsoft.com>> wrote:
Folks,

As you are all well aware, we have had extensive discussions in this WG (on both the list and during our conference calls) on the need for defined extensibility points in the WebCrypto specification. The result of those discussions was an agreement that those defined extension points would be added to the specification as part of resolving Bug #25618 (https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618), which was the placeholder for this work.  Co-editor Mark Watson has already made those changes to the draft and asked for them to be reviewed.

Speaking on behalf of Microsoft and our two independent implementations of WebCrypto (Internet Explorer 11+ and the MSR JavaScript Cryptography Library), we believe that the spec should not exit Last Call without having a well-defined extensibility mechanism that allows the definition and integration of new cryptographic algorithms.  Our expectation is that whatever the mechanism, an extension will not impact the base specification nor compromise implementations that comply with the base spec.

--bal

Received on Thursday, 9 October 2014 14:52:31 UTC