[Bug 25618] Extensibility: Offer spec-blessed ways to extend the algorithms and curves, rather than monkey-patching the spec from bugzilla@jessica.w3.org on 2014-10-09 (public-webcrypto@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 09 Oct 2014 15:25:12 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25618-7213-xgCNrvv10D@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25618

--- Comment #36 from Harry Halpin <hhalpin@w3.org> ---
"Anne and Ryan's position seems to be that in practice anyone shipping S1 will
also be forced to ship S2, so we do implementors of S1 a disservice by
pretending in S1 that S2 does not exist: they end up discovering the hard way,
via bug reports about stuff being broken, that S2 does in fact exist and needs
to be implemented."

By this logic, I might add, we can't ship Version 5 until we are done with
Version 6. 

Again, "this really depends on what exactly S2 is". S2 is at least one (Curve
25519 spec and a possible NUMS curve spec depending on results of CFRG
discussion) and likely future extension specs that are being developed at their
own pace. No one is "pretending" S2 doesn't exist. It's just consensus to
uniformly implement them across all browsers does not exist yet. However, at
least one browser vendor will implement some S2s (Microsoft) and possibly more
in the future. 

Also we have algorithms that are nationally mandated (GOST in Russia, SEED in
Korea, etc.) supported by entire industries around custom browser builds for
those governments. Being a global standards body, it seems we don't want to
shut them out of using W3C standards. 

It seems like extension specs are needed in this case. 

I still do not see a good argument against it. The argument is "People might
think extension spec is implemented, realize it isn't, and file a bug report."
In which case if the bug report is for a spec like Curve 25519 which Google
isn't sure about supporting with WebCrypto, you think that having or not having
bug reports from developers might help them make that decision. 

If developers want to know what browsers definitely support an extension S2
like Curve 25519, they could just check on where it is in W3C process as well.

Thus, the pain of not having the ability to easily extend seems to outweigh the
fact that folks might be bug reports.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 9 October 2014 15:25:17 UTC