[Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?

Harry Halpin <hhalpin@w3.org> Mon, 21 July 2014 23:07 UTC

Return-Path: <hhalpin@w3.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F037B1A0083 for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 16:07:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9c-ZDHuWDog for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 16:07:24 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA00D1A0024 for <cfrg@irtf.org>; Mon, 21 Jul 2014 16:07:23 -0700 (PDT)
Received: from [70.42.157.30] (helo=[10.6.106.163]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <hhalpin@w3.org>) id 1X9Mfy-00010w-0J for cfrg@irtf.org; Mon, 21 Jul 2014 19:07:22 -0400
Message-ID: <53CD9D23.6030401@w3.org>
Date: Tue, 22 Jul 2014 01:07:15 +0200
From: Harry Halpin <hhalpin@w3.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/FmO12pVISIqXi8wZy5YVeo6Jop8
Subject: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 23:07:29 -0000

CFRG,

  The W3C Web Cryptography Working Group has an open issue on Security
Considerations for the Web Cryptography API [1], with details in the
bugzilla [2].

 Graham Steel (INRIA), with feedback from Rich Salz and help from the
W3C staff, is willing to help create a "per-algorithm" security
consideration Informational RFC for the algorithms listed in the Web
Cryptography API (see his blog post [3]). However, as the landscape of
algorithms is changing and the Web Cryptography Working Group may have a
finite lifespan, we thought the CFRG would be a place to host such a
document as the CFRG will continue after the Web Crypto Working Group
ends and the CFRG obviously has the experience and expertise to help
make sure such a document reaches the high standards the Internet
community deserves.

Would the CFRG be OK with publishing such a document and maintaining it,
if we took the effort to produce the first draft and the W3C helped in
maintaining it? We think such a list of known attacks on a popular
subset of algorithms would be useful also to other IETF and W3C
standards, although the need is most pressing with the Web Crypto API.

Although I will not be at IETF Toronto, Wendy Seltzer from the W3C will
be, and we hope this can be discussed during the "AOB" session at the
CFRG meeting.

Please inform us over at the Web Cryptography WG if this proposal is
accepted by CFRG.

  cheers,
    harry

[1]https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
[2]https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607
[3]http://cryptosense.com/choice-of-algorithms-in-the-w3c-crypto-api/