- From: Tim Taubert <ttaubert@mozilla.com>
- Date: Wed, 24 Feb 2016 11:54:47 +0100
- To: hhalpin <hhalpin@w3.org>
- CC: public-webcrypto@w3.org
hhalpin wrote: > Since we have some new members, here's the current state of play to > update (and old members know this already, but you may want to swap it > in before the call). > > The goal of getting to CR is to make the spec reflect accurately the > reality. Each underlying feature should have two independent > implementations, which in our case is two independent browser teams (so > Chrome on Android and Chrome on Windows don't count, but Chrome on > Android vs. Edge on Windows counts). > > * Getting to CR: > > First, we have to resolve two formal objections. We have already sent a > list of attacks made by Graham Steel (INRIA) to IRTF [1] and so we just > need to add a reference to that for the spec and I need to give it a > quick update to reflect latest rounds of comments and another > INRIA/ENISA internal review. The second is to determine the state of > play with non-NIST curves, i.e. most likely Curve25519 in terms of > implementation. Unless two browsers have committed to implementing > Curve25519 and revealing to WebCrypto, then we can say its still > en-route and we'll update when that's ready, and the liaison with IRTF > CFRG continues. > > The last part is we have to show that we show for our CR *at minimum* > that algorithms have at least two implementations. If they don't, he > wanted them removed from the spec. > > Here's my last check from Nov 2015: > https://www.w3.org/2012/webcrypto/CR-report/ > > Based on: > https://github.com/diafygi/webcrypto-examples/ > > It needs to be updated to reflect RSA-PSS support by Firefox, and we > need to actually remove the algorithms from spec that are not being > implemented across two or more browsers. Just a note that Firefox 47 will also bring HKDF support to WebCrypto in Firefox. The algorithm name is "HKDF" and the implementation is compatible with Chrome's, i.e. RFC 5869. See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=27425 - Tim > * Test-suite > > We can also, as Ryan wants, do a much more thorough testing. For an > example of this, see: > > http://testthewebforward.org/ > > And then those tests are added to the HTML5 effort [2] (see test of > randomValues for an example). I earlier wanted to do this, but currently > browser test-suites would need to be converted, or we'd have to redo the > tests. If I can find 2-3 people to help with this task, I'm all for it > and pushing it hard over the next few months. > > * Work mode > > Up until now we were/are using W3C's repo. I migrated the spec to Github > and suggest we migrate all issues and close the W3C's repo down for the > final push on WebCrypto to CR. > > I suggest weekly meetings to really push things over the next few months > if people are OK with that. > > Any thoughts? > > yours, > harry > > [1] https://datatracker.ietf.org/doc/draft-irtf-cfrg-webcrypto-algorithms/ > [2] https://github.com/w3c/web-platform-tests/tree/master/WebCryptoAPI
Received on Wednesday, 24 February 2016 10:56:16 UTC