RE: [Bug 27816] New: IANA considerations review for definition of algorithms from Mike Jones on 2015-11-13 (public-webcrypto@w3.org from November 2015)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Fri, 13 Nov 2015 19:16:58 +0000
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <BY2PR03MB442357C70807C06373244F0F5110@BY2PR03MB442.namprd03.prod.outlook.com>

Looking at the latest editor's draft at https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#iana-section-jws-jwa, the required "Algorithm Analysis Documents" field has not been added to the JSON Web Signature and Encryption Algorithms registrations.

This must be addressed before the CR transition, or the requested IANA registrations will be rejected.

    -- Mike

-----Original Message-----
From: bugzilla@jessica.w3.org [mailto:bugzilla@jessica.w3.org] 
Sent: Monday, January 12, 2015 1:10 PM
To: public-webcrypto@w3.org
Subject: [Bug 27816] New: IANA considerations review for definition of algorithms

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27816

            Bug ID: 27816
           Summary: IANA considerations review for definition of
                    algorithms
           Product: Web Cryptography
           Version: unspecified
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: ietf@augustcellars.com
                CC: public-webcrypto@w3.org

Please consider this to be a possible IANA considerations review.  It is not completely clear that this is what I would say at the time the document shows up.  But it does indicate my current thinking and a discussion will likely help in forming final opinions.

This set of registrations is problematic due a change that has occurred since this path was initially embarked on.

The IESG made a request for algorithm analysis be added as part of the process of registering a new algorithm so that the designated experts would have a set of usable documents to determine what the security levels of algorithms are. 
It was assumed that this was not necessary for the initial registrations as the working group had the chance to discuss this to death during the process.  This means that there is an additional requirement

  Algorithm Analysis Documents(s):
      References to publication(s) in well-known cryptographic
      conferences, by national standards bodies, or by other
      authoritative sources analyzing the cryptographic soundness of the
      algorithm to be registered.  The designated experts may require
      convincing evidence of the cryptographic soundness of a new
      algorithm to be provided with the registration request unless the
      algorithm is being registered as Deprecated or Prohibited.  Having
      gone through working group and IETF review, the initial
      registrations made by this document are exempt from the need to
      provide this information.

It is not clear to me that this is satisfiable for a number of algorithms that registration is being requested for in this case.  (It is also not clear that this field needs to be filled out unless it is requested by the DE so the fact that it is currently absent is not an apriori failure.)

It is very possible that after some discussions a resolution Won't fix is reasonable.

--
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 13 November 2015 19:17:29 UTC