Re: WebCrypto edits on key material (Option 2) from Harry Halpin on 2016-01-18 (public-webcrypto@w3.org from January 2016)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 18 Jan 2016 18:36:03 -0500
To: Ryan Sleevi <sleevi@google.com>
CC: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <569D76E3.3050501@w3.org>
On 01/18/2016 06:01 PM, Ryan Sleevi wrote:
>
>
> On Mon, Jan 18, 2016 at 1:22 PM, Harry Halpin <hhalpin@w3.org
> <mailto:hhalpin@w3.org>> wrote:
>
>
>     We're asking that the editors remove everything that doesn't have
>     two interoperable implementations. That's the definition of
>     exiting Candidate Recommendation.
>
>
> Yes, I'm aware of what the definition is.
>
> What seems unclear, still, is how unreasonable that request is given
> the current situation for the WG.
>
> How are we to determine two interoperable implementations? The tests
> that magically appear? Is it the editors who need to install and test
> every permutation, presumably writing the tests?

Note that we had a large discussion and asked for help from browser
vendors over testing about a year ago.  Would you or Google be able to
contribute more tests?

If so, that would be be great. If not, we can assume we will have no new
tests and have to make due.

>
> And what happens when something lacks interoperability, but is
> strongly desired (or worse, required) by certain large sites? Remove
> it from the spec? Or try to work out what the interoperable solution
> and make changes are - e.g. what most WGs try to do, but you seem to
> be actively opposed to.
>  
New features that need interop that aren't in the CR version of the spec
just go into WebCrypto 1.1, which I'm happy to recharter - but we have
to show we have some success with WebCrypto 1.0  I'd like that to
happen. Right now, our job is to figure out where we are in current
implementations. If we can do that, a new charter will definitely happen.

You need to scope the parts you don't think are interoperable. In
particular, non-JOSE key formats and Workers have been brought up. Do
you have anything else in mind?



> Harry, I think you are grossly underestimating the work that's
> required or, if you think it's simply a matter of going with a
> metaphorical red pen and striking out everything, grossly
> overestimating the value of a spec that nether reflects users nor
> implementors desires.

I'd prefer it if 1) specific bugs were brought up and 2) if you don't
think removing non-interoperable features should be done, then you need
to propose a solution and we need at least one other UA agent to agree.


>
> In either event, it's clear that without other UAs being involved,
> what you're requesting is unrealistic.
>
> You're putting process above users, above developers, above
> implementations. This is how the W3C got into obsolence in the first
> place. It would be great if you could channel your energies towards
> exiting CR not in attempting to singularly remove by fiat large
> portions of the spec (and, to be clear, we're talking about removing
> all asymmetric encryption if we adopt your standard, among other
> things), and instead work to get other user agents involved.
>
> In either event, it's becoming increasingly clear that I don't think I
> have the time or energy to accomplish what you're asking, let alone
> the agreement that it is in the interests of users, sites, or browsers
> - or the W3C.


If we have *specific* bugs with time-frames and UA involvement, then I'm
sure the W3C would be happy to work this into a new charter!

 However, if we continue with the current state of affairs (i.e. no
further UA progress), then the Working Group will expire at end t arof
March and we'll be stuck with an out of date spec with features that are
non-interoperable, and the charter will not be renewed for further work.
That's probably the worst of all worlds :(

So - again, can you list specific bugs you'd like fixed, and see if UA
agents can chime in with opinions?

>  
>
>     As stated earlier, we can re-charter in maintenance mode to allow
>     a 'living spec', but its unreasonable to have the spec sit in CR
>     for more than a year if parts of the spec do not reflect
>     underlying implementations. Given there has been *no* movement on
>     the spec for more nearly a year, I don't think waiting for other
>     UAs to get throw resources at this spec makes sense, although we'd
>     be happy to hear more news.
>
>
> Harry, the spec is sitting because there's no clear direction where to
> take it precisely because the underlying implementations disagree on
> things, and no one is talking about what they think is the right
> thing, nor indicating that if the spec said do X that they would do it.


However, we also have had virtually no progress on this for a year or so
and Virginie has been trying to finalize things in terms of our charter
since September - so, it's not like this push should be a surprise. We
understand that many UA implementers may not care to invest resources
into WebCrypto at this point. If they do, please chime in.


   cheers,
         harry
Received on Monday, 18 January 2016 23:36:31 UTC