Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?

Harry Halpin <> Mon, 04 August 2014 19:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 546F01A0305 for <>; Mon, 4 Aug 2014 12:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wvJ2_csX4pWj for <>; Mon, 4 Aug 2014 12:42:26 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C12E51A0302 for <>; Mon, 4 Aug 2014 12:42:26 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <>) id 1XEO9I-0002UO-DG; Mon, 04 Aug 2014 15:42:24 -0400
Message-ID: <>
Date: Mon, 04 Aug 2014 21:42:17 +0200
From: Harry Halpin <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Paterson, Kenny" <>, "" <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Request from W3C Web Crypto WG to adopt "Security Considerations" document?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Aug 2014 19:42:30 -0000

On 07/22/2014 08:26 PM, Paterson, Kenny wrote:
> Dear Harry,
> The CFRG would be interested in being involved in this activity. As you
> say, it should have wider applicability than W3C, and there's a good
> chance that CFRG will have a greater longevity than the WebCrypto working
> group.
> With luck, the CFRG session here in Toronto tomorrow will not be so packed
> with other things that we can't squeeze a few words from Wendy Seltzer
> into the AoB. The CFRG chairs are also around all week if she wants to
> catch us beforehand.

I believe Wendy managed to discuss this in the CFRG AOB. Just to
confirm, we will produce an Informational RFC for the consideration of
CFRG as soon as possible for the per-algorithm security considerations.
The W3C appreciates the support of the CFRG in this matter, which we
agree may have wider applicability than the W3C Web Cryptography API.


> Regards,
> Kenny 
> On 21/07/2014 19:07, "Harry Halpin" <> wrote:
>> CFRG,
>>  The W3C Web Cryptography Working Group has an open issue on Security
>> Considerations for the Web Cryptography API [1], with details in the
>> bugzilla [2].
>> Graham Steel (INRIA), with feedback from Rich Salz and help from the
>> W3C staff, is willing to help create a "per-algorithm" security
>> consideration Informational RFC for the algorithms listed in the Web
>> Cryptography API (see his blog post [3]). However, as the landscape of
>> algorithms is changing and the Web Cryptography Working Group may have a
>> finite lifespan, we thought the CFRG would be a place to host such a
>> document as the CFRG will continue after the Web Crypto Working Group
>> ends and the CFRG obviously has the experience and expertise to help
>> make sure such a document reaches the high standards the Internet
>> community deserves.
>> Would the CFRG be OK with publishing such a document and maintaining it,
>> if we took the effort to produce the first draft and the W3C helped in
>> maintaining it? We think such a list of known attacks on a popular
>> subset of algorithms would be useful also to other IETF and W3C
>> standards, although the need is most pressing with the Web Crypto API.
>> Although I will not be at IETF Toronto, Wendy Seltzer from the W3C will
>> be, and we hope this can be discussed during the "AOB" session at the
>> CFRG meeting.
>> Please inform us over at the Web Cryptography WG if this proposal is
>> accepted by CFRG.
>>  cheers,
>>    harry
>> [1]
>> [2]
>> [3]
>> _______________________________________________
>> Cfrg mailing list