Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 06 August 2014 10:16 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17B421B2D12 for <cfrg@ietfa.amsl.com>; Wed, 6 Aug 2014 03:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dslfJgS7bEf for <cfrg@ietfa.amsl.com>; Wed, 6 Aug 2014 03:16:52 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lrp0081.outbound.protection.outlook.com [213.199.154.81]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94CB1B28B9 for <cfrg@irtf.org>; Wed, 6 Aug 2014 03:16:51 -0700 (PDT)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB381.eurprd03.prod.outlook.com (10.141.10.11) with Microsoft SMTP Server (TLS) id 15.0.995.14; Wed, 6 Aug 2014 10:16:48 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0995.014; Wed, 6 Aug 2014 10:16:48 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Harry Halpin <hhalpin@w3.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
Thread-Index: AQHPpTiUOLwQAa0+o0SvSKtW2u0xbZusJ3QAgBTGf4CAApdjAA==
Date: Wed, 6 Aug 2014 10:16:47 +0000
Message-ID: <D007BF01.295A3%kenny.paterson@rhul.ac.uk>
References: <53CD9D23.6030401@w3.org> <CFF422C0.28814%kenny.paterson@rhul.ac.uk> <53DFE219.4020702@w3.org>
In-Reply-To: <53DFE219.4020702@w3.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [134.219.227.30]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 02951C14DC
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(377454003)(479174003)(24454002)(52604005)(199002)(51704005)(189002)(36756003)(66066001)(4396001)(31966008)(101416001)(79102001)(107046002)(107886001)(19580405001)(77982001)(83322001)(19580395003)(561944003)(85306004)(19273905006)(80022001)(64706001)(86362001)(83506001)(15975445006)(21056001)(20776003)(81342001)(2656002)(87936001)(74502001)(74482001)(74662001)(15202345003)(106116001)(83072002)(81542001)(105586002)(106356001)(76176999)(50986999)(54356999)(76482001)(46102001)(15395725005)(92566001)(92726001)(99396002)(563064011); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB381; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5F870EB610FA5D418C35CD04DFB0C3AE@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/NkTQOauKesgCAX95KoZlgCfPM7E
Subject: Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 10:16:55 -0000

Harry

Excellent, thanks for confirming. We await your draft with interest!

Cheers,

Kenny 

On 04/08/2014 20:42, "Harry Halpin" <hhalpin@w3.org> wrote:

>On 07/22/2014 08:26 PM, Paterson, Kenny wrote:
>> Dear Harry,
>> 
>> The CFRG would be interested in being involved in this activity. As you
>> say, it should have wider applicability than W3C, and there's a good
>> chance that CFRG will have a greater longevity than the WebCrypto
>>working
>> group.
>> 
>> With luck, the CFRG session here in Toronto tomorrow will not be so
>>packed
>> with other things that we can't squeeze a few words from Wendy Seltzer
>> into the AoB. The CFRG chairs are also around all week if she wants to
>> catch us beforehand.
>
>
>I believe Wendy managed to discuss this in the CFRG AOB. Just to
>confirm, we will produce an Informational RFC for the consideration of
>CFRG as soon as possible for the per-algorithm security considerations.
>The W3C appreciates the support of the CFRG in this matter, which we
>agree may have wider applicability than the W3C Web Cryptography API.
>
>  thanks,
>       harry
>
>
>> 
>> Regards,
>> 
>> Kenny 
>> 
>> On 21/07/2014 19:07, "Harry Halpin" <hhalpin@w3.org> wrote:
>> 
>>> CFRG,
>>>
>>>  The W3C Web Cryptography Working Group has an open issue on Security
>>> Considerations for the Web Cryptography API [1], with details in the
>>> bugzilla [2].
>>>
>>> Graham Steel (INRIA), with feedback from Rich Salz and help from the
>>> W3C staff, is willing to help create a "per-algorithm" security
>>> consideration Informational RFC for the algorithms listed in the Web
>>> Cryptography API (see his blog post [3]). However, as the landscape of
>>> algorithms is changing and the Web Cryptography Working Group may have
>>>a
>>> finite lifespan, we thought the CFRG would be a place to host such a
>>> document as the CFRG will continue after the Web Crypto Working Group
>>> ends and the CFRG obviously has the experience and expertise to help
>>> make sure such a document reaches the high standards the Internet
>>> community deserves.
>>>
>>> Would the CFRG be OK with publishing such a document and maintaining
>>>it,
>>> if we took the effort to produce the first draft and the W3C helped in
>>> maintaining it? We think such a list of known attacks on a popular
>>> subset of algorithms would be useful also to other IETF and W3C
>>> standards, although the need is most pressing with the Web Crypto API.
>>>
>>> Although I will not be at IETF Toronto, Wendy Seltzer from the W3C will
>>> be, and we hope this can be discussed during the "AOB" session at the
>>> CFRG meeting.
>>>
>>> Please inform us over at the Web Cryptography WG if this proposal is
>>> accepted by CFRG.
>>>
>>>  cheers,
>>>    harry
>>>
>>> [1]https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
>>> [2]https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607
>>> [3]http://cryptosense.com/choice-of-algorithms-in-the-w3c-crypto-api/
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>> 
>