19:32:49 RRSAgent has joined #crypto 19:32:49 logging to http://www.w3.org/2013/10/14-crypto-irc 19:32:51 RRSAgent, make logs public 19:32:51 Zakim has joined #crypto 19:32:53 Zakim, this will be SEC_WebCryp 19:32:53 ok, trackbot; I see SEC_WebCryp()4:00PM scheduled to start in 28 minutes 19:32:54 Meeting: Web Cryptography Working Group Teleconference 19:32:54 Date: 14 October 2013 19:38:57 Jyates has joined #Crypto 19:43:47 mete has joined #crypto 19:46:41 ale has joined #crypto 19:46:43 sangrae has joined #crypto 19:50:22 Jyates has joined #Crypto 19:52:13 SEC_WebCryp()4:00PM has now started 19:52:14 + +90533302aaaa 19:52:19 mete has joined #crypto 19:52:23 - +90533302aaaa 19:52:25 SEC_WebCryp()4:00PM has ended 19:52:25 Attendees were +90533302aaaa 19:53:10 SEC_WebCryp()4:00PM has now started 19:53:11 + +90533302aaaa 19:57:09 Zakim, what's the code? 19:57:09 the conference code is 27978 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), hhalpin 19:57:39 +[IPcaller] 19:57:41 -[IPcaller] 19:57:41 +[IPcaller] 19:57:46 Zakim, [IPcaller] is hhalpin 19:57:47 +hhalpin; got it 19:57:54 +Michael_Hutchinson 19:57:55 +[GVoice] 19:58:18 bryaneyler has joined #crypto 19:58:53 arunranga has joined #crypto 19:58:54 +JYates 19:59:12 +[IPcaller] 19:59:47 MichaelH has joined #crypto 19:59:57 Zakim, who's on the phone? 19:59:57 On the phone I see mete, hhalpin, Michael_Hutchinson, [GVoice], JYates, [IPcaller] 20:00:05 Who is GVoice and IPcaller? 20:00:15 +arunranga 20:00:46 Zakim, who is on the phone? 20:00:46 On the phone I see mete, hhalpin, Michael_Hutchinson, [GVoice], JYates, [IPcaller], arunranga 20:00:55 Zakim, mute 20:00:55 I don't understand 'mute', arunranga 20:01:01 Zakim, mute me 20:01:01 arunranga should now be muted 20:01:02 Zakim, GVoice is bryaneyler 20:01:02 +bryaneyler; got it 20:01:16 this is sangrae calling from Skype 20:01:39 jimsch has joined #crypto 20:02:24 topic: Web Certficate API and Future of the WG 20:02:33 mountie, want to introduce? 20:02:58 http://mountielee.github.io/webcertapi/webcertapi_draft.html 20:03:04 W3C Editor’s Draft 11 October 2013 20:03:09 Oct 11trh? 20:03:17 Which API? 20:03:18 +[IPcaller.a] 20:03:22 has the link? 20:03:26 Zakim, pick a scribe? 20:03:26 I don't understand your question, hhalpin. 20:03:35 Zakim, [IPcller] is jimsch 20:03:35 sorry, jimsch, I do not recognize a party named '[IPcller]' 20:03:37 Zakim, pick a scribe 20:03:37 Not knowing who is chairing or who scribed recently, I propose [IPcaller] 20:03:51 Zakim, IPcaller is jimsch 20:03:51 +jimsch; got it 20:03:54 Zakim, IPcaller is jimsch 20:03:54 sorry, hhalpin, I do not recognize a party named 'IPcaller' 20:03:57 Zakim, pick a scribe 20:03:57 Not knowing who is chairing or who scribed recently, I propose bryaneyler 20:04:02 Zakim, [IPCaller] is jimsch 20:04:02 sorry, jimsch, I do not recognize a party named '[IPCaller]' 20:04:20 Zakim, [IPCaller.a] is jimsch 20:04:20 +jimsch; got it 20:05:01 nvdbleek has joined #crypto 20:05:16 zakim, code? 20:05:16 the conference code is 27978 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), nvdbleek 20:05:21 [missed name]: presenting webcert API; latest version not on web yet 20:06:13 s/[missed name]/sangrae 20:06:33 sangrae: Latest update changes use cases ... 20:07:02 + +1.650.214.aabb 20:07:02 tantek has joined #crypto 20:07:11 ... previous, focus on certs for Korean banking, but violates same origin policies. ... 20:07:58 rsleevi has joined #crypto 20:08:00 ... New focus on cert mgmt instead of usage; doesn't violate same origin. ... 20:08:36 ... Can revoke cert when not desired to use. 20:08:52 bryan, can you mute? 20:09:03 I believe I'm muted. 20:09:28 Zakim, mute bryaneyler 20:09:28 bryaneyler should now be muted 20:09:33 Zakim, who is making noise 20:09:33 I don't understand 'who is making noise', rsleevi 20:09:39 Zakim, who is noisy? 20:09:51 arunranga, listening for 10 seconds I heard sound from the following: hhalpin (74%), jimsch (75%) 20:09:59 Zakim, mute hhalpin 20:09:59 hhalpin should now be muted 20:10:07 :) 20:10:08 :-) 20:10:14 Zakim, unmute bryaneyler 20:10:14 bryaneyler should no longer be muted 20:10:34 +nvdbleek 20:10:49 zakim, who is noisy? 20:11:02 arunranga, listening for 12 seconds I heard sound from the following: jimsch (78%) 20:11:45 sangrae: When user wants to use cert, can issue request to CA; CA returns cert and UA sends notification to CA to use cert. ... 20:11:55 zakim, pointer? 20:11:55 I don't understand your question, nvdbleek. 20:12:17 Sorry, rsleevi, I don't understand 'trackbot, pointer'. Please refer to for help. 20:12:44 nvdbleek has joined #crypto 20:12:46 ... 3.6: First 3 methods to request cert, plus generating and revoking methods. ... 20:13:54 ... Currently working on API specs. ... 20:14:10 ... will be ready for F2F. 20:14:21 q+ 20:14:23 Zakim, unmute me 20:14:23 hhalpin should no longer be muted 20:14:27 q? 20:14:30 q+ 20:14:31 ack MichaelH 20:15:01 Michael: What are we standardizing? Call to web-based CA? Or generic CA? Or supposed to standardize all CAs? 20:15:17 sangrae: Trying to standardize all CAs. 20:15:34 ... mainly focus on RFC 4210 20:15:50 ... PKCS#10 req msgs 20:15:52 +[Microsoft] 20:15:53 israelh has joined #Crypto 20:16:10 ... more about UA being about to request from any CA using those protocols. 20:16:26 q+ 20:16:28 Michael: UA communicates with all RFC 4210 CAs? 20:16:29 Now in W3C space 20:16:29 http://www.w3.org/2012/webcrypto/WebCertAPI/webcertapi.html 20:16:33 sangrae: Yes 20:16:42 Zakim, unmute jimsch 20:16:42 jimsch.a was not muted, hhalpin 20:16:48 Zakim, ack jimsch 20:16:48 I see rsleevi on the speaker queue 20:16:52 jim? 20:17:48 Jim: 3 different cert mgmt protocols: CNC, CMP, PKCS10. Why choose to standardize one? 20:17:52 q+ 20:17:56 ... no mention of PKCS10 in doc. 20:18:33 sangrae: API will incorporate PKCS10. In Korea, typically use CMP. 20:19:49 ... anyone with knowledge of CNC; can incorporate. Still basic API types: response and confirm. 20:20:30 rsleevi, Yes I did finally find it 20:20:42 enum ReqType { // RFC 4210 Certificate Management Protocol. "cmp", // PKCS#10 type Certificate signing request. "pkcs10", }; 20:21:03 Ryan: PKCS10 is referenced in draft. Need to identify what capabilities are needed that cannot be handled at the moment. 20:21:29 ... can implement these protocols fully within JS. 20:21:53 ... need to bring down to 1st principles. Take a look at work products and identify features needed for use case. 20:21:54 +1 to making this in JavaScript for the current period of time 20:22:14 ... to make progress, need the problem space. 20:22:49 nvdbleek has joined #crypto 20:22:53 ... don't understand the root set of problems that cannot be addressed in JS. 20:23:30 ... already apps that handle problem. 20:24:32 Sangrae: Trying to expand cert request to cert mgmt. 20:24:42 ... can handle issuing, updating, revoking. 20:24:45 Here's one version of the banking use-case: http://www.w3.org/TR/2013/WD-webcrypto-usecases-20130108/#banking 20:24:46 Jyates has joined #Crypto 20:25:04 ... PKCS#10 doesn't have mgmt protocol capabilities. 20:25:33 That's why I referenced the earlier paragraph, as I think sangrae needs to go through 20:25:38 q+ 20:25:44 and tighten his case, thta text seems to be a decent starting place 20:25:48 ... cert mgmt deals with public key pairs; cannot handle the keys in JS because it's insecure. 20:26:26 +karen_oDonoghue 20:26:31 Ryan: Only discussing use case; need problem. 20:26:32 Agree the use-case needs work, but I don't really understand the details of banking use-case 20:26:41 it seems like they want a certficate management library 20:26:59 -nvdbleek 20:27:01 ... how secure should keys be? 20:27:10 kodonog has joined #crypto 20:27:27 +nvdbleek 20:27:29 ... if wrote an app using current API, what are points that cannot be used to write it? 20:27:50 ... if no problems, need better documentation. If problems exist, need to understand where. 20:28:18 Sangrae: Will provide problem statement. 20:29:12 Harry: Need more detail in problem and why cannot use current API. 20:29:37 ... is Sangrae going to make it to F2F? 20:29:41 Sangrae: Yes 20:29:45 ack MichaelH 20:29:49 ack hhalpin 20:30:04 did we lose Michael? 20:30:38 Zakim, mute hhalpin 20:30:38 hhalpin should now be muted 20:30:45 Michael: Why is UA involved in process? What is it adding to the application? 20:31:06 Sangrae: In previous Korean banking use cases, cert is used in web apps. 20:31:41 ... if cert mgmt is in UA, then don't need extra plugins to handle cert. 20:31:51 ... currently causing security problem in Korea. 20:31:56 ACTION: Arun to bug-fix use cases document with removed banking use case. 20:31:56 Created ACTION-116 - Bug-fix use cases document with removed banking use case. [on Arun Ranganathan - due 2013-10-21]. 20:32:00 ... main reason for standardizing. 20:32:09 q? 20:32:22 It is not clear to me if the problem is how to deal with certificates, or if the problem is how to deal with single origin 20:32:27 Jyates has joined #Crypto 20:32:35 Harry: Need to revisit in F2F. 20:32:45 ... believe trying to fix same origin problem. 20:33:09 ... want to keep working group running beyond current charter? 20:33:28 ... some groups that have ending point, some that continue to put out new versions. 20:33:56 ... Would people want to discuss the future? 20:35:01 q+ 20:35:06 Harry: How do we close issues like set of algorithms? 20:35:06 ack israelh 20:35:08 I'd like to see us not take on any *new* items until we get to actual shipping and site experience. I think it's unreasonable to suggest "This can't be done" until people have tried 20:35:23 well, MS has started shipping :) 20:35:32 Israel: Instead of going indefinitely, set achievements for different versions. 20:35:37 but agreed, however, we need to figure out how to close some open issues 20:35:46 and either we put them in a "roadmap" document 20:35:48 and close them 20:35:52 ... important to address certificates since people will be asking about them. 20:35:57 or we say "we're likely to go on with a new charter" 20:36:12 q+ 20:36:24 ack rsleevi 20:36:25 Harry?: Can close this out in F2F. 20:36:50 Ryan: Charter extremely broad. Like to close up, then can look at secondary deliverables. 20:37:06 ... Should focus on immediate deliverables and have threads for side-issues. 20:37:20 ... instead of indefinite group, use charter to prioritize issues 20:37:24 ale has joined #crypto 20:37:42 ... lots missing from problem statement, but prioritize broad and narrow problems. 20:38:14 Harry: Going back to closing out issues on current API, what needs to be closed before last call? 20:38:26 ... do you have time to close them out? Any discussion on specific issues? 20:39:10 Ryan: Want to go into F2F with issues closed. Some issues don't fit API. 20:39:31 tantek has joined #crypto 20:39:39 ... some issues: want more algorithms, need registry point for some algorithms 20:40:00 Harry: Nice to close out Dan's issues before F2F. 20:40:05 oct 28th? 20:40:06 ... on call of 28th. 20:40:15 That call to close out all of Dan's 28th. 20:40:33 Ryan: All can be closed. 20:40:40 ... just need to add some notes 20:40:51 rsleevi; +1 from my memory from the call that most of them could be closed out 20:40:55 ... already supported or addressed, just need rewording. 20:41:26 Harry: If somebody doesn't understand, good indicator that web devs won't understand as well. 20:41:47 Lot of it was informative notes 20:41:50 Ryan: Everything is questioning choice of algorithms or wording; no action 20:42:02 ... should data and key be separate? 20:42:14 ... for something like encrypt, does not make appropriate API. 20:42:29 ... from API design point, proposal is incorrect; should close 20:42:43 ... that's the only issue that would require lots of change. 20:43:01 ... others: ECC: additional curves (could add additional curves) 20:43:13 ... no guarantees of entropy 20:43:34 ... bigger problems than WebCrypto 20:43:52 ... Overall, issues can be closed out, just need communication to ensure they're being addressed. 20:44:08 Harry: Respond to original email? 20:44:17 Ryan: Will do. 20:44:25 ACTION: rsleevi to respond to Dr. Boneh's issues email 20:44:26 Created ACTION-117 - Respond to dr. boneh's issues email [on Ryan Sleevi - due 2013-10-21]. 20:44:50 Harry: What issues should be addressed in F2F? Need a draft agenda. 20:45:32 Ryan: Put together finalized doc. Should skip in favour of putting together new draft before F2F to give enough time to review. 20:45:49 ... people should have time to review before F2F 20:45:55 I think the issues that need to be added are the draft solution re key wrapping 20:46:00 ... need to get draft in final review 20:46:15 ... during implementation on Chrome side, issues brought up 20:46:23 ... need to understand Microsoft implementation 20:46:32 ... any broad or concerning text? 20:46:37 Anyone from Mozilla on phone? 20:46:43 ... call or review? Prefer review. 20:46:54 Harry: Purpose of call to remind to review. 20:47:05 Zakim, unmute me 20:47:05 arunranga should no longer be muted 20:47:06 ... need to also request review from Mozilla 20:47:20 q+ 20:47:22 ... anybody from Mozilla handling API? 20:47:28 ack arunranga 20:47:29 we can hear you 20:47:40 ddahl has left Mozilla 20:47:45 Arun: Currently no implemention since David left. 20:47:54 ... won't be able to attend F2F 20:48:04 ... can still review and interact with implementers 20:48:10 q+ 20:48:16 ack israelh 20:48:35 Israel: Trying to figure out how promises maps to long-term strategy. 20:48:41 ... when can implement it 20:48:59 ... mapping to current spec 20:49:29 Harry: Main thing to do: implementation experience section to walk through common problems. 20:49:36 ... like to get new version before F2F 20:49:53 ... have people from W3C to do reviews after last call 20:50:03 ... Graham Steel's group will be available 20:50:09 What % of spec has been implemented so far? 20:50:18 ... any major open issues? 20:50:30 ... Promises is outside of WebCrypto scope. 20:50:43 Arun: No objection, just timeframe. 20:50:49 s/Arun/Israelh 20:50:59 ... when can bake it into platform 20:51:21 ... need feedback on overall implementation before sending to group 20:51:46 Harry: Anything else to cover in F2F? 20:52:06 Ryan: Have a number of members representing non-UA. 20:52:57 ... during review, instead of implementation concerns, like to see members representing smart cards, etc. putting together problem statements 20:53:14 ... so we can merge interests to look for next steps. 20:53:39 2. Session on use-cases from non-implementers 20:53:43 ... any common themes in problems 20:53:46 ideally with problem statements/docs emailed out beforehand 20:54:16 Israel?: Great example is work that Netflix has done 20:54:36 ... Netlfix has real-world experience using API, so would be interesting to share that info 20:54:45 +1 to Israel's comments 20:54:50 q? 20:54:52 Is Mark Watson going to F2F? 20:55:11 Harry: Will check on anybody from Netflix going. 20:55:28 We're meeting for two days :) 20:55:31 ... 1st day: implementation concerns. 2nd day: problems missing solutions currently? 20:55:50 How about Wednesday? 20:55:51 Ryan: Should interleave the issues to allow more discussion. 20:55:57 hhalpin, if possible, a dial-in for some of the sessions would be great if feasible. 20:55:59 Wednesday will be quite busy with AC 20:56:02 ... mixing would be productive and refreshing. 20:56:27 Harry: Challenge is to get use cases emailed out ahead of time to form agenda. 20:56:39 ... Will put a call out for putting forward the use cases. 20:57:15 Israel: Possible to have Netflix do a demo at EOD 1 20:57:16 Netflix demo on day 1 20:57:26 ... for good example of how to use 20:57:54 Harry: Will send call out 20:58:10 ... Time to close the call? 20:58:12 q+ 20:58:32 Michael: Hoping somebody else could contribute to key discovery implementation 20:58:34 ACTION: hhalpin to send out call for use-cases for Crypto API 20:58:35 Created ACTION-118 - Send out call for use-cases for crypto api [on Harry Halpin - due 2013-10-21]. 20:58:36 ... over email is fine 20:59:06 [unknown]: Anybody from Brazil involved in key management? 20:59:19 s/[unknown]/IsraelH 20:59:51 Harry: W3C office in Brazil, but not sure what's going on 21:00:12 Israel: Will do more research to find specific person 21:00:22 Harry: Can send the email, just need to know to whom. 21:00:33 - +1.650.214.aabb 21:00:34 -nvdbleek 21:00:34 -karen_oDonoghue 21:00:35 -JYates 21:00:36 -jimsch.a 21:00:40 -sangrae 21:00:41 -mete 21:00:42 -bryaneyler 21:00:51 -[Microsoft] 21:01:04 -hhalpin 21:01:12 Zakim, draft minutes 21:01:12 I don't understand 'draft minutes', hhalpin 21:01:17 trackbot, end meeting 21:01:17 Zakim, list attendees 21:01:17 As of this point the attendees have been +90533302aaaa, mete, hhalpin, Michael_Hutchinson, JYates, arunranga, bryaneyler, +1.650.214.aabb, nvdbleek, sangrae, [Microsoft], 21:01:20 ... karen_oDonoghue 21:01:25 RRSAgent, please draft minutes 21:01:25 I have made the request to generate http://www.w3.org/2013/10/14-crypto-minutes.html trackbot 21:01:26 RRSAgent, bye 21:01:26 I see 3 open action items saved in http://www.w3.org/2013/10/14-crypto-actions.rdf : 21:01:26 ACTION: Arun to bug-fix use cases document with removed banking use case. [1] 21:01:26 recorded in http://www.w3.org/2013/10/14-crypto-irc#T20-31-56 21:01:26 ACTION: rsleevi to respond to Dr. Boneh's issues email [2] 21:01:26 recorded in http://www.w3.org/2013/10/14-crypto-irc#T20-44-25 21:01:26 ACTION: hhalpin to send out call for use-cases for Crypto API [3] 21:01:26 recorded in http://www.w3.org/2013/10/14-crypto-irc#T20-58-34