IETF Logo Mail Archive

Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API

Harry Halpin <hhalpin@w3.org> Thu, 20 November 2014 18:17 UTC

Return-Path: <hhalpin@w3.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F149D1A1A8C for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 10:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.496
X-Spam-Level:
X-Spam-Status: No, score=-7.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gsxKC1Nn7k6 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 10:17:52 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E7B1A1B6D for <cfrg@irtf.org>; Thu, 20 Nov 2014 10:17:48 -0800 (PST)
Received: from [81.80.203.35] (helo=[172.17.2.197]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <hhalpin@w3.org>) id 1XrWId-0002Ew-Mr; Thu, 20 Nov 2014 13:17:47 -0500
Message-ID: <546E3044.6010403@w3.org>
Date: Thu, 20 Nov 2014 19:17:40 +0100
From: Harry Halpin <hhalpin@w3.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
References: <mailman.2305.1416497925.5552.cfrg@irtf.org> <546E297D.5040405@gmail.com> <CACsn0cmXqSQv74obdxvkp8M_U4JF_h64ZBF5A_aG6QLWUzQAQQ@mail.gmail.com>
In-Reply-To: <CACsn0cmXqSQv74obdxvkp8M_U4JF_h64ZBF5A_aG6QLWUzQAQQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/4Dv8LLc3ncx1-699yW-tx9NXE-I
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Proposed Informational Note: Security Guidelines for Cryptographic Algorithms in the W3C Web Cryptography API
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 18:17:56 -0000


On 11/20/2014 07:09 PM, Watson Ladd wrote:
> On Nov 20, 2014 9:49 AM, "Yaron Sheffer" <yaronf.ietf@gmail.com> wrote:
>>
>> Hi Harry,
>>
>> The draft makes for fascinating reading for CFRG folks, as can be seen by
> the mailing list discussion. But I think it does not make any sense to
> "developers" (programmers who typically have next to no understanding of
> crypto, and certainly none at all of formal security models/proofs). They
> simply would not understand 90% of the text.

Agreed. However, we do hope they look at the table that has simple
"YES/NO" recommendations when choosing algorithms. We also need to keep
that table reasonably up to date in the future.

We initially thought we should keep such a table in the spec, but the
editor and others rightfully noted that this advice belongs somewhere
else as spec will stabilize and should focus on JS-specific concerns,
not keeping up with the crypto research landscape (which seems more CFRG
territory).

> 
>>
>> So it may be fine as a rationale for the selected list of algorithms. It
> may be fine for a few star crypto developers. But IMHO, not for the general
> population of people who'll be coding to your API.
> 
> Should people who don't know anything about cryptography write code that
> uses it? We've already mentioned that protocol design is hard, but that
> will force a lot of other choices, so it's not clear what is actually
> addressed by these recommendations.

We try to address this in the "introduction", encouraging people not to
write new protocols. What is addressed is algorithms that we should
encourage for future use. For example, many web developers may just want
a "hash" and thus default to SHA-1 unless we tell them otherwise.

> 
> Unlike TLS this is not about properly configuring an implementation.  It's
> a case where the developers have unbounded creativity, and so can mess it
> up in unexpected ways, which no list of negative commandments can cover.
> 
> The right approach is to design misuse resistant primitives on top of the
> ones in Webcrypto, and tell programmers to use them.

That is also a separable and equally difficult problem the WebCrypto WG
discussed. Instead, we released a "kitchen sink" approach of low-level
primitives and are hoping "the market" produces some good easy-to-use JS
libraries. If that doesn't happen in short order, I'm sure the W3C would
be interested in helping, and we'd want CFRG's advice in that matter as
well.

   cheers,
       hary

> 
> Sincerely,
> Watson Ladd
> 
>>
>> I am a co-author of the TLS BCP (
> http://tools.ietf.org/html/draft-ietf-uta-tls-bcp-06). It certainly has its
> share of flaws, but what we did right is to clearly mark recommendations
> vs. rationale, and to simplify recommendations as much as we could.
>>
>> Thanks,
>>         Yaron
>>
>>
>>
>>>
>>> Everyone,
>>>
>>> As the W3C Web Cryptography API gets ready to move to Candidate
>>> Recommendation, we wanted to address the concerns brought up by Rich
>>> Salz and others for better security guidelines for developers, given
>>> that the API exposes a variety of algorithms. I've taken Graham Steel's
>>> excellent write-up, which is in a large part based on Smart et al.'s
>>> magisterial ENISA report,  and have turned it into a draft CFRG note.
>>>
>>> We'd like to see the security guidelines below discussed here, and if
>>> there's no objections after discussion, move this onwards. W3C commits
>>> to maintaining this note as much as possible.
>>>
>>> Links to draft:
>>>
>>> TXT:
>>>
> http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-00.txt
>>> HTML:
>>>
> http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-00.html
>>>
>>> cheers,
>>>      harry
>>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email