Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Tue, 22 July 2014 18:26 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7211B2B92 for <cfrg@ietfa.amsl.com>; Tue, 22 Jul 2014 11:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euqH3mDNFqIK for <cfrg@ietfa.amsl.com>; Tue, 22 Jul 2014 11:26:46 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0077.outbound.protection.outlook.com [213.199.154.77]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38FB01B2B91 for <cfrg@irtf.org>; Tue, 22 Jul 2014 11:26:45 -0700 (PDT)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.0.990.7; Tue, 22 Jul 2014 18:26:43 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0990.007; Tue, 22 Jul 2014 18:26:43 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Harry Halpin <hhalpin@w3.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
Thread-Index: AQHPpTiUOLwQAa0+o0SvSKtW2u0xbZusJ3QA
Date: Tue, 22 Jul 2014 18:26:42 +0000
Message-ID: <CFF422C0.28814%kenny.paterson@rhul.ac.uk>
References: <53CD9D23.6030401@w3.org>
In-Reply-To: <53CD9D23.6030401@w3.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [31.133.156.135]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 02801ACE41
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(24454002)(189002)(199002)(51704005)(479174003)(80022001)(81342001)(2656002)(64706001)(99396002)(77982001)(36756003)(50986999)(76176999)(46102001)(87936001)(76482001)(561944003)(66066001)(83072002)(19273905006)(79102001)(85852003)(31966008)(21056001)(101416001)(4396001)(86362001)(74482001)(85306003)(74662001)(74502001)(107046002)(107886001)(15975445006)(83506001)(92726001)(81542001)(19580395003)(92566001)(54356999)(20776003)(106116001)(83322001)(19580405001)(15395725005)(15202345003)(95666004)(106356001)(105586002)(563064011); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <58BAF3A1BFCC69438BFB4EB583AD67B3@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/exnuCo01_tBsflmVPBpMOOV6Ac8
Subject: Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 18:26:49 -0000

Dear Harry,

The CFRG would be interested in being involved in this activity. As you
say, it should have wider applicability than W3C, and there's a good
chance that CFRG will have a greater longevity than the WebCrypto working
group.

With luck, the CFRG session here in Toronto tomorrow will not be so packed
with other things that we can't squeeze a few words from Wendy Seltzer
into the AoB. The CFRG chairs are also around all week if she wants to
catch us beforehand.

Regards,

Kenny 

On 21/07/2014 19:07, "Harry Halpin" <hhalpin@w3.org> wrote:

>CFRG,
>
>  The W3C Web Cryptography Working Group has an open issue on Security
>Considerations for the Web Cryptography API [1], with details in the
>bugzilla [2].
>
> Graham Steel (INRIA), with feedback from Rich Salz and help from the
>W3C staff, is willing to help create a "per-algorithm" security
>consideration Informational RFC for the algorithms listed in the Web
>Cryptography API (see his blog post [3]). However, as the landscape of
>algorithms is changing and the Web Cryptography Working Group may have a
>finite lifespan, we thought the CFRG would be a place to host such a
>document as the CFRG will continue after the Web Crypto Working Group
>ends and the CFRG obviously has the experience and expertise to help
>make sure such a document reaches the high standards the Internet
>community deserves.
>
>Would the CFRG be OK with publishing such a document and maintaining it,
>if we took the effort to produce the first draft and the W3C helped in
>maintaining it? We think such a list of known attacks on a popular
>subset of algorithms would be useful also to other IETF and W3C
>standards, although the need is most pressing with the Web Crypto API.
>
>Although I will not be at IETF Toronto, Wendy Seltzer from the W3C will
>be, and we hope this can be discussed during the "AOB" session at the
>CFRG meeting.
>
>Please inform us over at the Web Cryptography WG if this proposal is
>accepted by CFRG.
>
>  cheers,
>    harry
>
>[1]https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
>[2]https://www.w3.org/Bugs/Public/show_bug.cgi?id=25607
>[3]http://cryptosense.com/choice-of-algorithms-in-the-w3c-crypto-api/
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg
>