19:56:21 <RRSAgent> RRSAgent has joined #crypto
19:56:21 <RRSAgent> logging to http://www.w3.org/2013/08/19-crypto-irc
19:56:21 <trackbot> Zakim, this will be SEC_WebCryp
19:56:21 <Zakim> ok, trackbot, I see SEC_WebCryp()4:00PM already started
19:56:22 <trackbot> Meeting: Web Cryptography Working Group Teleconference
19:56:22 <trackbot> Date: 19 August 2013
19:56:25 <Zakim> +Virginie_Galindo
19:56:39 <virginie> zakim, who is on the phone ?
19:56:39 <Zakim> On the phone I see Virginie_Galindo
19:56:43 <virginie> agenda?
19:56:49 <virginie> agenda+ welcome
19:56:51 <Zakim> +kodonog
19:57:05 <Zakim> +Wendy
19:57:31 <jimsch> jimsch has joined #Crypto
19:57:57 <wseltzer> agenda+ Agenda bashing
19:58:01 <virginie> agenda+ specification status with respect to publication
19:58:12 <Zakim> +karen
19:58:14 <kodonog> kodonog has joined #crypto
19:58:14 <Zakim> + +1.857.928.aaaa
19:58:30 <wseltzer> zakim, aaaa is Joanne
19:58:30 <Zakim> +Joanne; got it
19:58:52 <kodonog> ?
19:59:08 <virginie> zakim, who is on the phone ?
19:59:08 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, karen, Joanne
19:59:19 <wseltzer> zakim, karen is really jimsch
19:59:19 <Zakim> +jimsch; got it
19:59:24 <virginie> zakim, who is on the phone ?
19:59:24 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne
19:59:26 <nvdbleek> zakim, code?
19:59:26 <Zakim> the conference code is 27978 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), nvdbleek
19:59:48 <karen> karen has joined #crypto
19:59:51 <Zakim> +[Microsoft]
19:59:51 <wseltzer> chair: Virginie_Galindo
19:59:52 <virginie> agenda?
19:59:54 <Zakim> +nvdbleek
20:00:08 <Zakim> +[Microsoft.a]
20:00:21 <wseltzer> zakim, Microsoft has selfissued
20:00:21 <Zakim> +selfissued; got it
20:00:35 <selfissued> selfissued has joined #crypto
20:01:34 <Zakim> + +1.857.445.aabb
20:02:01 <MichaelH> MichaelH has joined #crypto
20:02:02 <Zakim> +Karen
20:02:05 <ddahl> ddahl has joined #crypto
20:02:08 <Zakim> - +1.857.445.aabb
20:02:27 <virginie> zakim, who is on the phone ?
20:02:27 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen
20:02:29 <Zakim> [Microsoft] has selfissued
20:02:39 <Zakim> +MichaelH
20:02:56 <virginie> zakim, who is on the phone ?
20:02:56 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH
20:02:58 <Zakim> [Microsoft] has selfissued
20:03:10 <Zakim> +ddahl
20:03:13 <markw> markw has joined #crypto
20:03:14 <Zakim> + +1.415.294.aacc
20:03:15 <Zakim> +google
20:03:35 <wseltzer> zakim, google has rsleevi
20:03:35 <Zakim> +rsleevi; got it
20:03:40 <arunranga> arunranga has joined #crypto
20:03:44 <Zakim> +markw_
20:03:47 <arunranga> Zakim, who is on the call?
20:03:47 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH, ddahl, +1.415.294.aacc, google, markw_
20:03:51 <Zakim> [Microsoft] has selfissued
20:03:51 <Zakim> google has rsleevi
20:03:55 <arunranga> Zakim, aacc is arunranga
20:03:55 <Zakim> +arunranga; got it
20:03:55 <virginie> zakim, who is on the phone ?
20:03:56 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH, ddahl, arunranga, google, markw_
20:03:56 <Zakim> [Microsoft] has selfissued
20:03:56 <Zakim> google has rsleevi
20:04:32 <virginie> zakim, who is on the phone ?
20:04:32 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH, ddahl, arunranga, google, markw_
20:04:35 <Zakim> [Microsoft] has selfissued
20:04:35 <Zakim> google has ericroman
20:05:05 <arunranga> Zakim, mute me
20:05:05 <Zakim> arunranga should now be muted
20:06:16 <wseltzer> zakim, pick a scribe
20:06:16 <Zakim> Not knowing who is chairing or who scribed recently, I propose selfissued
20:06:36 <Zakim> +[Microsoft.aa]
20:06:57 <wseltzer> zakim, Microsoft.aa has israelh
20:06:57 <Zakim> +israelh; got it
20:07:08 <Israelh> Israelh has joined #Crypto
20:07:21 <Zakim> +[GVoice]
20:07:25 <wseltzer> zakim, pick a scribe
20:07:25 <Zakim> Not knowing who is chairing or who scribed recently, I propose [Microsoft.a]
20:07:41 <Zakim> Not knowing who is chairing or who scribed recently, I propose [Microsoft]
20:07:44 <Zakim> Not knowing who is chairing or who scribed recently, I propose [Microsoft]
20:07:46 <Zakim> Not knowing who is chairing or who scribed recently, I propose [Microsoft.a]
20:07:49 <Zakim> Not knowing who is chairing or who scribed recently, I propose markw_
20:07:50 <wseltzer> zakim, who is on the phone?
20:07:50 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH, ddahl, arunranga (muted), google, markw_,
20:07:53 <Zakim> ... [Microsoft.aa], [GVoice]
20:07:53 <Zakim> [Microsoft] has selfissued
20:07:53 <Zakim> [Microsoft.aa] has israelh
20:07:53 <Zakim> google has ericroman
20:08:01 <eroman> eroman has joined #crypto
20:08:15 <bryaneyler> bryaneyler has joined #crypto
20:08:24 <markw> scribenick markw_
20:09:06 <wseltzer> scribenick: markw
20:09:25 <markw> scribenick: markw_
20:09:59 <markw> virginie: topics:
20:10:04 <markw> ... extractability
20:10:14 <virginie> agenda+ last minutes discussion
20:10:24 <virginie> agenda+ wrap/unwrap/import/export
20:10:33 <virginie> agenda+ questions on promises
20:10:41 <virginie> agenda+ extractability attribute
20:10:45 <virginie> agenda?
20:11:06 <Zakim> -[Microsoft.aa]
20:12:18 <arunranga> Zakim, unmute me
20:12:18 <Zakim> arunranga should no longer be muted
20:12:19 <markw> virginie: where are we with respect to publication ?
20:12:24 <markw> ... arun, mark ?
20:12:42 <markw> arun: been on vacation, sorry for the delay, will take care of it soon
20:12:46 <virginie> zakim, who is on the phone ?
20:12:47 <Zakim> On the phone I see Virginie_Galindo, kodonog, Wendy, jimsch, Joanne, [Microsoft], nvdbleek, [Microsoft.a], Karen, MichaelH, ddahl, arunranga, google, markw_, [GVoice]
20:12:47 <Zakim> [Microsoft] has selfissued
20:12:47 <Zakim> google has rsleevi, eroman
20:13:00 <markw> ... believe all feedback taken into account and there is time during pubrules round to take into account any other points
20:13:24 <markw> virginie: agreed to go to next public working draft based on existing editors draft. We should publish what we have.
20:13:40 <markw> mark: in same situation as arus
20:13:44 <arunranga> +1 ok by me
20:13:45 <markw> s/arus/arun.
20:13:49 <arunranga> Zakim, mute me
20:13:49 <Zakim> arunranga should now be muted
20:13:51 <markw> s/arus/arun/
20:14:07 <virginie> agenda?
20:14:13 <markw> zakim, take up agendum 4
20:14:13 <Zakim> agendum 4. "last minutes discussion" taken up [from virginie]
20:14:22 <virginie> http://www.w3.org/2013/08/05-crypto-minutes.html
20:14:34 <markw> ???: minutes mention a registry
20:14:47 <markw> s/???/jimsch/
20:15:03 <markw> ... do you need an IANA registry or entries in one of the JOSE registries
20:15:26 <markw> rsleevie: entries in one of the JOSE registries, but getting that set up is dependent on JOSE drafts
20:15:57 <markw> jimsch: should be minutes of the last meeting be updated to reflect this ?
20:16:16 <markw> virginie: only if there is actually mistakes in the minutes, ok to minute it in this meeting
20:17:06 <rsleevi> Note that either way, the 'extractability' aspect is gated upon the publication of JOSE. Getting it into JOSE makes it easier to experiment early, but arguably both are valid approaches, PRESUMING that the attribute(s) are welcomed by the JOSE IANA registry
20:17:20 <markw> wseltzer: ok to use this meeting's minutes if it is just a clarification
20:17:23 <jimsch> Just a note in these minutes is acceptable to me
20:17:44 <virginie> agenda?
20:18:09 <markw> zakim, take up agendum 5
20:18:09 <Zakim> agendum 5. "wrap/unwrap/import/export" taken up [from virginie]
20:18:38 <markw> virginie: we are blocked on the extractability item
20:18:53 <markw> ... also we don't have a proposal for the import/export sections
20:18:55 <israelh> israelh has joined #Crypto
20:18:59 <markw> ... ryan - do you have an update
20:19:16 <markw> rsleevi: markw and I have an ongoing discussion on the extractability
20:19:40 <markw> ... trying to work through the appropriate security guarantees and theats
20:20:09 <markw> virginie: I don't understand how the discussion on security models in this context influences our specification
20:20:25 <markw> ... will it have a direct impact on the technical solution or only on security considerations ?
20:20:26 <Zakim> +[Microsoft.aa]
20:20:46 <markw> rsleevi: key question is what guaratees can a script author expect from the UA
20:21:04 <markw> ... concerns on our side that attempt to provide guarantees inconsistent with the web security model
20:21:40 <markw> virginie: today we have one attribute, extractablity. Is one of the outcomes that we remove extractability vs accept what has been proposed ?
20:22:05 <markw> rsleevi: specification is current "caller specifies", where it assume non-hostile JS at the time of unwrap
20:22:17 <markw> ... IIUC mark's concern is unwrapping in the presence of hostile JS
20:22:42 <markw> ... mark's propsosed using extractability attribute which works with JOSE and not with other formats
20:22:49 <arunranga> Zakim, unmute me
20:22:49 <Zakim> arunranga should no longer be muted
20:23:05 <virginie> q?
20:23:09 <markw> ... also discussion of explicit or implicit "viralness" where in unwrapped keys obtain attributes from the unwrapping key
20:23:27 <arunranga> q+ to ask about other areas of Crypto API that are jeopardized if the script environment can't be trusted
20:23:33 <markw> ... boils down to fundamental questions on the security model - when is the script considered hostile
20:23:41 <markw> ... before the unwrap, after etc.
20:23:43 <markw> q+
20:23:48 <wseltzer> ack markw
20:24:02 <wseltzer> markw: I made a few slides
20:24:14 <markw> https://docs.google.com/presentation/d/1S2t3ZS_LNXneaslaTPe8eULfYDAwnNVwlmJCnLcxcg0/edit?usp=sharing
20:25:42 <wseltzer> [markw reads from slides at https://docs.google.com/presentation/d/1S2t3ZS_LNXneaslaTPe8eULfYDAwnNVwlmJCnLcxcg0/ ]
20:27:38 <selfissued> q+
20:27:57 <rsleevi> q+
20:29:01 <tobie> tobie has joined #crypto
20:29:16 <markw> arunranga: teh way I understand the proposal is that the UA must respect the extractable attribute and this is how hostile scripts are prevented from accessing the key
20:29:29 <markw> ... makes sense if you don't want to use HTTPS
20:29:45 <markw> ... aren't there other parts of the API where this problem exists too ?
20:30:28 <rsleevi> Actually, I'll minute that - Arun's summation reflects our concerns/objections
20:30:45 <markw> ... arunranga: have bee trying to catch up and this presentation clarifies things
20:31:14 <markw> ... mark wants the extractability attribute to be respected to lend more security than encrypting the key in transport
20:32:36 <jimsch> q+
20:32:57 <virginie> ack arunranga
20:32:57 <Zakim> arunranga, you wanted to ask about other areas of Crypto API that are jeopardized if the script environment can't be trusted
20:33:52 <markw> markw: other aspects of the API don't similarly read on the importance of the location of the key (UA or JS)
20:36:01 <arunranga> q-
20:36:17 <virginie> q+
20:37:15 <markw> ... the slides are intended to demonstrate that if extractability is useful at all then its also useful to have it maintained over unwrap as proposed
20:37:59 <markw> selfissued: [point about X.5096 that the scribe missed due to scribe interrupt]
20:38:21 <markw> rsleevi: [responded to selfissued, also during scribe interrupt]
20:38:48 <markw> rsleevi: extractability is when you go from known good environment and there is a possibility of hostile environment at later point in time
20:39:02 <markw> ... at the time your perform the operation you are going from a known good environment
20:39:27 <markw> ... current specification has the same semantics whatever operation you are doing
20:39:50 <markw> ... arun's question about whether there are other API calls that are risky in a hostile environment ?
20:40:01 <tobie> tobie has joined #crypto
20:40:14 <markw> ... pkcs paper circulated earlier shows some ways of extracting keying material using other operations
20:40:47 <markw> ... current approach reflects current web security principles of using HTTPS to reduce the chance of hostile JS
20:41:03 <markw> ... in which case the value of what mark proposed disappears
20:41:36 <jimsch> ack
20:41:37 <markw> jimsch: there are some other places where we have a model where we d similar things. e.g. signature operation and the key is not extractable then you restrict the set of hash operations
20:41:50 <arunranga> ack jimsch
20:41:54 <markw> q+
20:42:17 <arunranga> jimsch, that's a good comparison
20:42:20 <markw> virginie: we are having this discussion because there is a business value on the extractability for Netflix
20:42:33 <markw> ... on the other hand we have brower makers who don't want to take this on
20:42:40 <markw> ... situation is blocked
20:42:53 <markw> ... either we find a consensus or we remove the feature from the specification
20:43:21 <tobie> tobie has joined #crypto
20:43:25 <markw> ... questions for the Editor: if we remove extractable attribute, is that a big change ?
20:43:52 <markw> rsleevi: removing extractability would be a mistake - would be a significant and fundamental design change
20:44:27 <arunranga> +1 to keeping extractability.  More thinking needed to determine its applicability to wrap/unwrap (at least on my part)
20:44:37 <MichaelH> +1
20:44:40 <jimsch> +1
20:44:42 <markw> +1
20:44:44 <rsleevi> +1 to what Arun said exactly
20:44:45 <ddahl> +1
20:44:47 <wseltzer> +1
20:44:48 <kodonog> +1
20:44:57 <markw> virginie; staw poll: who would like to keep extractability ?
20:45:02 <nvdbleek> +1
20:45:07 <karen> +1
20:45:10 <selfissued> +1
20:45:16 <selfissued> Keep extractability
20:45:27 <israelh> +1
20:46:26 <arunranga> q?
20:47:03 <jimsch> +1
20:47:12 <rsleevi> -1
20:47:14 <selfissued> +1
20:47:18 <markw> virginie: another straw poll; who is interested in maintaining extractability across wrap/unwrap - should we spend more time on that
20:47:20 <markw> +1
20:47:25 <nvdbleek> +1
20:47:26 <israelh> +1 on what mark has been proposing
20:47:27 <MichaelH> +1
20:48:16 <israelh> q+
20:49:16 <markw> israelh: we have already supported the concept mark is proposing in our implementation
20:49:43 <markw> virginie: [scribe missed the question]
20:50:10 <jimsch> isrealh, how are you propogating the bit?
20:50:13 <virginie> is Microsoft happy with the implementations of wrap/unwrap and extractability
20:50:22 <markw> isrealh: our concern now is supporting the live Netflix beta site - seems to be working
20:50:57 <markw> virginie: good to hear that one implemtor is happy with mark's proposal
20:51:27 <rsleevi> Note that our concern is not that it cannot be implemented, simply that it cannot be reliably secured nor is it consistent with our web security position (HTTP vs HTTPS, SOP, hostile script)
20:51:44 <markw> virginie: we will continue to discuss this, but we have ryan on one side who is unhappy with the implications for the security model and we have at least two people interested in this
20:52:09 <virginie> q?
20:52:19 <israelh> q-\
20:52:23 <israelh> q-
20:52:55 <jimsch> markw: does not see this is a big concern to the web security model like ryan
20:53:30 <jimsch> ...  want to have a guarentee to a key in the future after it was imported
20:53:37 <rsleevi> To be clear, the point of disagreement with Mark's slides is at what point in time the executing Javascript is compromised
20:53:53 <rsleevi> It provides the same "going forward" protection
20:54:00 <rsleevi> The question is whether it provides protection *when* compromised
20:54:27 <markw> @rsleevi: look at the length of the grey arrows on slides 4 and five and imagine the timescale is the same - it's not the same guarantee
20:55:06 <markw> virginie: ryan, do you have something to propose on import/export ?
20:55:25 <markw> rsleevi: waiting for resolution of how these should behave, specifically as related to extractability
20:56:59 <markw> @rsleevi: the point of extractability is that it introduces the possibility that you can have compromised Javascript without compromised keys. Without extractability compromised js => compromised keys
20:57:28 <markw> jimsch: JOSE currently shooting to enter last call around next IETF meeting in November
20:57:46 <markw> ... have conf calls scheduled between now and then to work through the remaining issues
20:58:09 <markw> virginie: any other topics ?
20:58:14 <rsleevi> @markw: Again on the point in time discussion. compromised Javascript = all operations performed during compromise are suspect. That would include wrap/unwrap, as much as encrypt/decrypt/etc.
20:58:17 <markw> all: <silence>
20:58:23 <Zakim> -[GVoice]
20:58:39 <wseltzer> q+
20:58:42 <markw> virginie: have blogged about progress on WebCrypto and there were many hits/links
20:59:38 <markw> wseltzer: thanks - if you want to link to blog post from W3C site we can arrange that
20:59:42 <arunranga> zakim, mute me
20:59:42 <Zakim> arunranga should now be muted
21:00:24 <markw> virginie: thank you. Not sure how much progress we made. Next meeting in two weeks.
21:00:28 <Zakim> -[Microsoft.aa]
21:00:31 <markw> ... meeting adjourned
21:00:31 <Zakim> -Karen
21:00:32 <Zakim> -google
21:00:32 <Zakim> -ddahl
21:00:34 <Zakim> -jimsch
21:00:34 <Zakim> -Wendy
21:00:35 <Zakim> -Joanne
21:00:35 <Zakim> -Virginie_Galindo
21:00:37 <Zakim> -nvdbleek
21:00:37 <Zakim> -markw_
21:00:38 <Zakim> -[Microsoft]
21:00:38 <Zakim> -[Microsoft.a]
21:00:41 <Zakim> -MichaelH
21:00:48 <rsleevi> rsleevi has left #crypto
21:01:19 <Zakim> -kodonog
21:04:09 <markw> trackbot, make minutes
21:04:09 <trackbot> Sorry, markw, I don't understand 'trackbot, make minutes'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
21:04:21 <Zakim> -arunranga
21:04:22 <Zakim> SEC_WebCryp()4:00PM has ended
21:04:22 <Zakim> Attendees were Virginie_Galindo, kodonog, Wendy, +1.857.928.aaaa, Joanne, jimsch, nvdbleek, selfissued, +1.857.445.aabb, Karen, MichaelH, ddahl, +1.415.294.aacc, rsleevi, markw_,
21:04:22 <Zakim> ... arunranga, ericroman, [Microsoft], israelh, [GVoice], eroman
21:04:35 <wseltzer> trackbot, end teleconf
21:04:35 <trackbot> Zakim, list attendees
21:04:35 <Zakim> sorry, trackbot, I don't know what conference this is
21:04:43 <trackbot> RRSAgent, please draft minutes
21:04:43 <RRSAgent> I have made the request to generate http://www.w3.org/2013/08/19-crypto-minutes.html trackbot
21:04:44 <trackbot> RRSAgent, bye
21:04:56 <wseltzer> RRSAgent, make minutes public
21:04:56 <RRSAgent> I'm logging. I don't understand 'make minutes public', wseltzer.  Try /msg RRSAgent help
21:05:01 <wseltzer> RRSAgent, make logs public
21:09:26 <selfissued> selfissued has joined #crypto
21:29:40 <tobie> tobie has joined #crypto
21:36:25 <ddahl> ddahl has joined #crypto
22:01:08 <tobie> tobie has joined #crypto
23:10:45 <tobie> tobie has joined #crypto