- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 14 Sep 2015 15:59:39 -0400
- To: public-webcrypto@w3.org
An update from IETF/CFRG, as per discussion with Stephen Farrell, we do
have a draft security guidelines document. Once the algorithms in the
spec are settled, we can ship to CFRG and ask to be an informational
note [1]. W3C will take responsibility with INRIA for editing the note,
and will synchronize it to the ENISA report given the ENISA report has
wide review [2], but its coverage is different than the WebCrypto API
and it may not be updated quick enough. This should resolve the
objection from Rich Salz from Akamai.
In terms of 'non-NIST' EC curves, note that the CFRG has reached
consensus on Curve 25519 (as earlier spec'ed by Trevor Perrin) and Curve
448 for curves [1]. There is currently a vote on signatures open till
Sept 24th. However, I will also note that Mozilla is the only one
implementing (it seems) ECDSA and ECDH. Thus, the recommendation from
IETF is not to link our work directly in terms of any timeline to their
work, but simply as we in the WebCrypto WG agreed earlier 1) if there is
agreeement and 2) sufficient implementation then to move to add other
elliptic curves.
cheers,
harry
[1]
http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-00.txt
[2]
https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014
[3] http://datatracker.ietf.org/doc/draft-irtf-cfrg-curves/
Received on Monday, 14 September 2015 19:59:40 UTC