19:57:24 RRSAgent has joined #crypto 19:57:24 logging to http://www.w3.org/2013/06/17-crypto-irc 19:57:26 RRSAgent, make logs public 19:57:26 Zakim has joined #crypto 19:57:28 Zakim, this will be SEC_WebCryp 19:57:28 ok, trackbot; I see SEC_WebCryp()4:00PM scheduled to start in 3 minutes 19:57:29 Meeting: Web Cryptography Working Group Teleconference 19:57:29 Date: 17 June 2013 19:58:01 SEC_WebCryp()4:00PM has now started 19:58:07 + +1.512.257.aaaa 19:58:39 + +1.650.214.aabb 19:58:44 MichaelH has joined #crypto 19:59:10 nvdbleek has joined #crypto 19:59:12 Zakim, this will be SEC_WebCryp 19:59:12 ok, virginie, I see SEC_WebCryp()4:00PM already started 19:59:27 zakim, code? 19:59:27 the conference code is 27978 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), nvdbleek 19:59:32 + +1.415.294.aacc 19:59:57 +Virginie_Galindo 20:00:16 arunranga has joined #crypto 20:00:29 +??P4 20:00:31 Zakim, aaaa is MichaelH 20:00:31 +MichaelH; got it 20:00:31 zakim, who is on the call? 20:00:32 On the phone I see MichaelH, Google, +1.415.294.aacc, Virginie_Galindo, ??P4 20:00:32 Google has rsleevi 20:00:33 Zakim, who is here? 20:00:33 On the phone I see MichaelH, Google, +1.415.294.aacc, Virginie_Galindo, ??P4 20:00:36 Google has rsleevi 20:00:36 On IRC I see arunranga, nvdbleek, MichaelH, Zakim, RRSAgent, virginie, sangrae, jyates, jeffh, ale, tobie, rsleevi, eroman, slightlyoff, trackbot, wseltzer 20:00:37 zakim, I am ??P4 20:00:38 +nvdbleek; got it 20:00:38 +Wendy 20:00:50 Zakim, aacc is arunranga 20:00:50 +arunranga; got it 20:00:57 Chair: Virginie_Galindo 20:01:20 + +1.512.257.aadd 20:01:24 zakim, mute me 20:01:25 arunranga should now be muted 20:01:37 zakim, aadd is karn 20:01:37 +karn; got it 20:01:45 karen has joined #crypto 20:01:46 zakim, karn is really karen 20:01:46 +karen; got it 20:02:05 agenda? 20:02:12 +fjh 20:02:12 agenda+ Welcome 20:02:44 ddahl has joined #crypto 20:02:53 +[Microsoft] 20:03:13 zakim, Microsoft has Tony_Nadalin 20:03:13 +Tony_Nadalin; got it 20:03:32 agenda+ Focus on Web Crypto API 20:03:49 agenda+ resolution to go for next PWD on the Web Crypto API 20:03:54 agenda? 20:03:59 + +1.408.540.aaee 20:04:05 +[Microsoft.a] 20:04:15 +ddahl 20:04:19 zakim, Microsoft.a has Israel 20:04:19 +Israel; got it 20:04:29 zakim, aaee is Netflix 20:04:29 +Netflix; got it 20:04:30 scottk has joined #crypto 20:04:32 israelh has joined #crypto 20:04:48 zakim, Netflix has mwatson and scottk 20:04:48 +mwatson, scottk; got it 20:05:02 Zakim, who is here? 20:05:02 On the phone I see MichaelH, Google, arunranga (muted), Virginie_Galindo, nvdbleek, Wendy, karen, fjh, [Microsoft], Netflix, [Microsoft.a], ddahl 20:05:04 Netflix has mwatson, scottk 20:05:04 Google has rsleevi 20:05:04 [Microsoft] has Tony_Nadalin 20:05:04 [Microsoft.a] has Israel 20:05:04 On IRC I see israelh, scottk, ddahl, karen, arunranga, nvdbleek, MichaelH, Zakim, RRSAgent, virginie, sangrae, jyates, jeffh, ale, tobie, rsleevi, eroman, slightlyoff, trackbot, 20:05:04 ... wseltzer 20:05:13 + +1.415.997.aaff 20:05:17 markw has joined #crypto 20:05:27 alex russell 20:05:31 (just joined) 20:07:20 thanks 20:07:25 hi ale, can you identify yourself? 20:07:37 and fjh 20:07:39 I think IPcaller is sangrae 20:08:14 zakim, who is here? 20:08:14 On the phone I see MichaelH, Google, arunranga (muted), Virginie_Galindo, nvdbleek, Wendy, karen, fjh, [Microsoft], Netflix, [Microsoft.a], ddahl, slightlyoff 20:08:18 Netflix has mwatson, scottk 20:08:18 Google has rsleevi 20:08:18 [Microsoft] has Tony_Nadalin 20:08:18 [Microsoft.a] has Israel 20:08:18 On IRC I see markw, israelh, scottk, ddahl, karen, arunranga, nvdbleek, MichaelH, Zakim, RRSAgent, virginie, sangrae, jyates, jeffh, ale, tobie, rsleevi, eroman, slightlyoff, 20:08:18 ... trackbot, wseltzer 20:08:18 arunranga, hi, I'm a student from Italy, and I'm using the WebCryptoAPI for my thesis 20:08:22 mitchz has joined #crypto 20:08:24 present+ sangrae 20:08:39 Israelh is on the called muted 20:08:50 zakim, pick a victim 20:08:50 Not knowing who is chairing or who scribed recently, I propose ddahl 20:09:05 zakim, pick another victim 20:09:05 I don't understand 'pick another victim', wseltzer 20:09:06 zakim, pick a victim 20:09:06 Not knowing who is chairing or who scribed recently, I propose Tony_Nadalin 20:09:23 zakim, pick a victim 20:09:23 Not knowing who is chairing or who scribed recently, I propose arunranga (muted) 20:09:28 Happy to scribe! 20:09:31 scribenick: arunranga 20:09:35 I've a question/proposal but I think this is not the right time to discuss that, so I'll just lurk here :) 20:09:39 agenda? 20:10:16 mitchz has joined #crypto 20:10:43 zakim, take agenda 2 20:10:43 I don't understand 'take agenda 2', arunranga 20:10:49 zakim, take up agenda 2 20:10:49 agendum 2. "Focus on Web Crypto API" taken up [from virginie] 20:11:31 RS: I'd like to make sure we can nail down blockers for a public working draft. 20:11:43 RS: An email with the updates was pushed out. 20:12:07 RS: Key operation and Futures/Promises transition happened. We also updated ECDSA sample text. 20:12:21 RS: The main update is the Promises. 20:12:34 RS: We should also discuss wrap/unwrap issues. 20:13:30 VG: Using the two week draft, we'd like to initiate a heartbeat publication. 20:13:31 Q= 20:13:33 Q+ 20:13:46 + +1.857.928.aagg 20:13:56 MW: I'd like to talk about wrap/unwrap, which isn't implemented as per our discussions. 20:14:59 MW: We had a proposal, which the group did agree should be in the spec., but Ryan did some parts of this only partially vis-a-vis the original proposal. The part that's good is that Ryan has decoupled JWE from the actual key-wrapping format, which improves on the original. 20:15:33 MW: explicitly, a "wrap" is an "export+encrypt" and unwrap is "import+decrypt." 20:15:49 timeless has joined #crypto 20:16:15 MW: But, in order to make it work per the original, we propose a key to be included, which is currently left blank. The current text blocks that. 20:17:06 VG: Could we publish something that exposes the conflict? 20:17:40 s/propose a key to be included/proposed that a key format supporting attributes must be included/ 20:17:43 RS: I've proposed on the list a way to resolve these concerns. In particular, there isn't a crypto api that does this type of attribute carrying key format. 20:18:43 q+ 20:18:45 RS: In the interim, I've described a solution on the list. I have an implementation that can implement those aspects. The point of contention seems to be whether or not this is something that the spec has to deal with this. I've proposed on the list a way that doesn't necessitate spec. changes. 20:18:58 MW: [asks for clarification about listserv] 20:20:04 -[Microsoft.a] 20:20:05 zakim, unmute me 20:20:06 arunranga should no longer be muted 20:21:22 MW: What Ryan was suggesting was that for named keys, with usage unwrap, could have a special behavior, such that when used, the result would always have result extractable as false. 20:21:52 MW: What I said was that on the one had it had this extra feature, and we need a solution that also works for named keys. 20:22:56 VG: do we publish as is, including a note, or do we keep two weeks to go ahead with further discussion. 20:23:24 MW: What we'd like is to determine whether a key delivered by our server, which is not extractable, can be used within wrap/unwrap. 20:23:46 The proposal does not mandate Mark's proposal, but it does not prevent it either 20:23:57 +1 20:24:12 MW: I'd like to poll the group to determine whether non-extractable keys are a part of this proposal (for wrap / unwrap) 20:24:23 +1 20:24:47 +1 20:24:50 +1 20:24:59 -1 20:25:00 PROPOSAL-Tentative: SHould the spec. include an explicit non-extractable key for use within wrap /unwrap? 20:25:28 israelh has joined #crypto 20:26:11 PROPOSAL: Key unwrapping should include support for unwrapping of non-extractable keys without the key material being exposed to Javascript 20:26:42 +1 ;-) 20:26:47 +1 20:26:54 +1 20:27:01 +1 20:27:39 -1, but only because I don't want to block the heartbeat; I don't see how the process issue informs the substantive debate 20:27:57 +[Microsoft.a] 20:28:21 That is not accurate. 20:28:31 As described on the mailing list, I've put forward how it can be. 20:28:39 MW: Ryan's proposal would not allow you to construct a wrapped key in such a way that it would be non-extractable and not exposed to JavaScript. 20:29:07 Qualifying, without using named keys 20:29:19 VG: I would suggest we add something into the specification that there is something more in order to address the complete use case. 20:30:06 MW: If the proposal of the group is to go ahead with the blank sections, but commit to clarifying it later, I'm ok with that. 20:30:46 s/clarifying it later/including functionality accordng to the original proposal/ 20:31:12 VG: Ryan, would you agree to add something into the section that there is a need to clarify the "non-extractable and not exposed to JavaScript use case" within wrap/unwrap? 20:31:26 q+ 20:31:29 RS: I think this is unnecessary and redundant. But I'm happy to add an editorial note. 20:31:52 MW: more important than notes in the spec is to clarify what we're actually going to do in the spec. 20:32:06 yes, it's tactical 20:32:27 MichaelH_ has joined #crypto 20:32:27 -1 on technical for V1 (to be clear) 20:32:34 VG: I think we should move in a direction to make the non-extractable key not exposed to JS. 20:32:50 MW: Requirement is to do this in the main spec. WITHOUT using named keys. 20:33:33 q+ 20:33:34 +1 to address this issue on the V1 20:33:50 q+ 20:33:53 MH: Why would a non-extractable key be exposed to anything? 20:34:33 MW: What we'd like to do is have a key that's been wrapped in such a way that we can use the unwrapping method to install that key into web crypto. There would be NO way of getting that key in JS. 20:35:41 MW: The proposal is that there's a decrypt and an import. But if you want to apply that to a key, then you have to use a key format that carries that format. We can have a JWK format, which when decrypted and imported in one go ,will apply the attribute in the JWK over and above what's there. 20:36:10 MW: In JWE encapsulation, you'll have to do that in two steps. 20:36:38 MW: The content encryption key in the JWK, in the JWE structure, is the content encryption key wrapped with your pre-shared. 20:36:57 can whoever is typing mute themselves? 20:37:08 zakim, mute me 20:37:08 arunranga should now be muted 20:37:43 MW: (this is discussed on the listserv too): but the CEK (content encryption key) is specifically non-exportable. 20:38:25 MH: extractability is in two places? 20:38:49 MW: Yes. Since doing it in two steps, you'd need to make sure what the usages are in each steps. 20:39:05 MW: ANd because these are atomic operations, as far as web crypto knows, you don't have to know about the key format. 20:39:14 MW: But in order to make it work, you need to have attributes. 20:39:36 MW: What's atomic is the combination of decrypt and import. You'd have to do that twice. 20:40:11 MH: if the payload key is non-extractable, shouldn't the export fail? 20:40:49 MW: I'm describing an unwrap using a CEK. 20:41:01 MW: If you have no attributes on the CEK, I could use CEK to decrypt the payload. 20:41:13 how is this a good use of our time? 20:42:05 RS: Quick note. He says we need to have attributes on the export key format, which I don't believe is the case. 20:42:07 q+ 20:42:34 Proposal-Tentative: We go for a next public working draft, but include caveats about wrap/unwrap 20:42:42 +1 20:42:56 MW: Ryan, what you mention as a solution is to attach additional semantics to named keys. 20:43:47 RS: I've discussed multiple solution, and how they can look. I've tried to provide a short term to allow for the heartbeat, and we can discuss how longterm solutions might look, but that are also generic. 20:44:06 Proposal: We go for a next public working draft, but include caveats about wrap/unwrap 20:44:15 virginie has joined #crypto 20:44:23 q? 20:44:50 zakim, unmute me 20:44:50 arunranga should no longer be muted 20:45:39 Proposal: We go for a next public working draft, but include caveats about wrap/unwrap, including the open question of an explicit CEK and the non-named key case 20:45:46 zakim, mute arunranga 20:45:46 arunranga should now be muted 20:46:32 s/CEK/attributes/ 20:46:57 : Proposal: We go for a next public working draft, but include caveats about wrap/unwrap, including the open question of a explicit attributes and the non-named key case 20:47:11 s/a explicit attributes/explicit attributes 20:47:41 q+ 20:48:14 @rsleevi - by "V1" do you mean the first version of our document that goes to Recommendation 20:49:53 RS: we are committed to try to work towards a solution. I want to be clear that the proposal isn't a "must have." We are committed to working on it, but don't see it as an essential feature of the API. 20:50:25 RS: My clarification is that the solution as MW proposed won't be in the next public working draft. 20:51:05 MW: We had a long discussion about key wrapping and unwrapping, and a proposal to be included in the working draft. This has been partially implemented, and leaves some things blank. It would feel like a step backwards, if we say this would be in the "next version." 20:51:12 It's entirely consistent with our statement of "Feature at Risk" 20:51:26 and continues to keep Key Wrap/Unwrap in scope of our deliverable 20:51:52 RS: I want to make clear that we're committed to evolving an API that works. 20:52:23 q+ 20:52:33 I'm going to need to drop off the call 20:52:42 Sure 20:52:47 apologies, I'd hoped we'd get to Promises 20:52:51 q- 20:53:04 IH: I'd like to get more clarification on the meaning of "at risk." 20:53:22 IH: The way we've done it with other specs, like IndexedDB, when something is "at risk" we still went ahead. 20:53:37 israelh: that's one way to define that, and IndexedDB did that wrong IMO 20:53:39 IH: The way we define "at risk" was that if some implementors didn't implement it, it might have dropped off. 20:54:11 -ddahl 20:54:40 anyone else disconnected? 20:55:06 Proposal: The Working Draft includes an editor's note about the status of wrap / unwrap, notably a caveat about explicit attributes. 20:55:11 +ddahl 20:55:24 +1 to specifying in the spec that wrap/unwrap is underspecified, that more work is needed, to continuing to work in the WG to find a solution, but not changing wrap/unwrap as a feature at risk 20:55:35 +1 20:55:42 +1 20:55:46 +1 20:55:47 +1 20:55:48 +1 20:55:53 +1 20:55:54 +1 20:55:55 +1 with rsleevi clarifications 20:56:13 +1 to continuing to work in the WG to find a solution, but not changing wrap/unwrap as a feature at risk 20:56:20 (as rsleevi said) 20:57:01 zakim, who is here ? 20:57:01 On the phone I see MichaelH, Google, arunranga (muted), Virginie_Galindo, nvdbleek, Wendy, karen, fjh, [Microsoft], Netflix, slightlyoff, +1.857.928.aagg, [Microsoft.a], ddahl 20:57:02 markw, still there? 20:57:05 Netflix has mwatson, scottk 20:57:05 Google has rsleevi 20:57:05 [Microsoft] has Tony_Nadalin 20:57:05 On IRC I see virginie, MichaelH_, israelh, timeless, mitchz, markw, scottk, ddahl, karen, arunranga, nvdbleek, Zakim, RRSAgent, sangrae, jyates, jeffh, ale, tobie, rsleevi, eroman, 20:57:06 ... slightlyoff, trackbot, wseltzer 20:57:49 RESOLVED: Publish working draft as next heartbeat 20:58:23 great, thanks 20:58:51 is there an ical feed for this WG's meetings? 20:59:27 - +1.857.928.aagg 20:59:32 -slightlyoff 20:59:56 -Google 21:00:09 -Virginie_Galindo 21:00:10 -ddahl 21:00:10 -[Microsoft] 21:00:11 -Wendy 21:00:12 -Netflix 21:00:14 -arunranga 21:00:15 -fjh 21:00:17 -karen 21:00:18 -nvdbleek 21:00:30 -MichaelH_ 21:03:24 :) 21:15:31 trackbot, end teleconf 21:15:31 Zakim, list attendees 21:15:31 As of this point the attendees have been +1.512.257.aaaa, +1.650.214.aabb, +1.415.294.aacc, rsleevi, Virginie_Galindo, MichaelH, nvdbleek, Wendy, arunranga, +1.512.257.aadd, karen, 21:15:34 ... fjh, Tony_Nadalin, +1.408.540.aaee, [Microsoft], ddahl, Israel, mwatson, scottk, +1.415.997.aaff, slightlyoff, +1.857.928.aagg 21:15:39 RRSAgent, please draft minutes 21:15:39 I have made the request to generate http://www.w3.org/2013/06/17-crypto-minutes.html trackbot 21:15:40 RRSAgent, bye 21:15:40 I see no action items