Web Cryptography Working Group Teleconference

14 Oct 2013

See also: IRC log


+90533302aaaa, mete, hhalpin, Michael_Hutchinson, JYates, arunranga, bryaneyler, +1.650.214.aabb, nvdbleek, sangrae, [Microsoft], karen_oDonoghue


<trackbot> Date: 14 October 2013

<hhalpin> Who is GVoice and IPcaller?

<sangrae> this is sangrae calling from Skype

Web Certficate API and Future of the WG

<hhalpin> mountie, want to introduce?

<hhalpin> http://mountielee.github.io/webcertapi/webcertapi_draft.html

<MichaelH> W3C Editor’s Draft 11 October 2013

<hhalpin> Oct 11trh?

<hhalpin> Which API?

<hhalpin> has the link?

sangrae: presenting webcert API; latest version not on web yet
... Latest update changes use cases ...
... previous, focus on certs for Korean banking, but violates same origin policies. ...

<scribe> ... New focus on cert mgmt instead of usage; doesn't violate same origin. ...

UNKNOWN_SPEAKER: Can revoke cert when not desired to use.

<jimsch> bryan, can you mute?

I believe I'm muted.

<rsleevi> :)

<arunranga> :-)

sangrae: When user wants to use cert, can issue request to CA; CA returns cert and UA sends notification to CA to use cert. ...

<trackbot> Sorry, rsleevi, I don't understand 'trackbot, pointer'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.

sangrae: 3.6: First 3 methods to request cert, plus generating and revoking methods. ...
... Currently working on API specs. ...
... will be ready for F2F.

Michael: What are we standardizing? Call to web-based CA? Or generic CA? Or supposed to standardize all CAs?

sangrae: Trying to standardize all CAs.
... mainly focus on RFC 4210
... PKCS#10 req msgs
... more about UA being about to request from any CA using those protocols.

Michael: UA communicates with all RFC 4210 CAs?

<hhalpin> Now in W3C space

<hhalpin> http://www.w3.org/2012/webcrypto/WebCertAPI/webcertapi.html

sangrae: Yes

<hhalpin> jim?

Jim: 3 different cert mgmt protocols: CNC, CMP, PKCS10. Why choose to standardize one?
... no mention of PKCS10 in doc.

sangrae: API will incorporate PKCS10. In Korea, typically use CMP.
... anyone with knowledge of CNC; can incorporate. Still basic API types: response and confirm.

<jimsch> rsleevi, Yes I did finally find it

<MichaelH> enum ReqType { // RFC 4210 Certificate Management Protocol. "cmp", // PKCS#10 type Certificate signing request. "pkcs10", };

Ryan: PKCS10 is referenced in draft. Need to identify what capabilities are needed that cannot be handled at the moment.
... can implement these protocols fully within JS.
... need to bring down to 1st principles. Take a look at work products and identify features needed for use case.

<jimsch> +1 to making this in JavaScript for the current period of time

Ryan: to make progress, need the problem space.
... don't understand the root set of problems that cannot be addressed in JS.
... already apps that handle problem.

Sangrae: Trying to expand cert request to cert mgmt.
... can handle issuing, updating, revoking.

<hhalpin> Here's one version of the banking use-case: http://www.w3.org/TR/2013/WD-webcrypto-usecases-20130108/#banking

Sangrae: PKCS#10 doesn't have mgmt protocol capabilities.

<hhalpin> That's why I referenced the earlier paragraph, as I think sangrae needs to go through

<hhalpin> and tighten his case, thta text seems to be a decent starting place

Sangrae: cert mgmt deals with public key pairs; cannot handle the keys in JS because it's insecure.

Ryan: Only discussing use case; need problem.

<hhalpin> Agree the use-case needs work, but I don't really understand the details of banking use-case

<hhalpin> it seems like they want a certficate management library

Ryan: how secure should keys be?
... if wrote an app using current API, what are points that cannot be used to write it?
... if no problems, need better documentation. If problems exist, need to understand where.

Sangrae: Will provide problem statement.

Harry: Need more detail in problem and why cannot use current API.
... is Sangrae going to make it to F2F?

Sangrae: Yes

<rsleevi> did we lose Michael?

Michael: Why is UA involved in process? What is it adding to the application?

Sangrae: In previous Korean banking use cases, cert is used in web apps.
... if cert mgmt is in UA, then don't need extra plugins to handle cert.
... currently causing security problem in Korea.

<arunranga> ACTION: Arun to bug-fix use cases document with removed banking use case. [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action01]

<trackbot> Created ACTION-116 - Bug-fix use cases document with removed banking use case. [on Arun Ranganathan - due 2013-10-21].

Sangrae: main reason for standardizing.

<jimsch> It is not clear to me if the problem is how to deal with certificates, or if the problem is how to deal with single origin

Harry: Need to revisit in F2F.
... believe trying to fix same origin problem.
... want to keep working group running beyond current charter?
... some groups that have ending point, some that continue to put out new versions.
... Would people want to discuss the future?
... How do we close issues like set of algorithms?

<rsleevi> I'd like to see us not take on any *new* items until we get to actual shipping and site experience. I think it's unreasonable to suggest "This can't be done" until people have tried

<hhalpin> well, MS has started shipping :)

Israel: Instead of going indefinitely, set achievements for different versions.

<hhalpin> but agreed, however, we need to figure out how to close some open issues

<hhalpin> and either we put them in a "roadmap" document

<hhalpin> and close them

Israel: important to address certificates since people will be asking about them.

<hhalpin> or we say "we're likely to go on with a new charter"

Harry?: Can close this out in F2F.

Ryan: Charter extremely broad. Like to close up, then can look at secondary deliverables.
... Should focus on immediate deliverables and have threads for side-issues.
... instead of indefinite group, use charter to prioritize issues
... lots missing from problem statement, but prioritize broad and narrow problems.

Harry: Going back to closing out issues on current API, what needs to be closed before last call?
... do you have time to close them out? Any discussion on specific issues?

Ryan: Want to go into F2F with issues closed. Some issues don't fit API.
... some issues: want more algorithms, need registry point for some algorithms

Harry: Nice to close out Dan's issues before F2F.

<hhalpin> oct 28th?

Harry: on call of 28th.

<hhalpin> That call to close out all of Dan's 28th.

Ryan: All can be closed.
... just need to add some notes

<jimsch> rsleevi; +1 from my memory from the call that most of them could be closed out

Ryan: already supported or addressed, just need rewording.

Harry: If somebody doesn't understand, good indicator that web devs won't understand as well.

<hhalpin> Lot of it was informative notes

Ryan: Everything is questioning choice of algorithms or wording; no action
... should data and key be separate?
... for something like encrypt, does not make appropriate API.
... from API design point, proposal is incorrect; should close
... that's the only issue that would require lots of change.
... others: ECC: additional curves (could add additional curves)
... no guarantees of entropy
... bigger problems than WebCrypto
... Overall, issues can be closed out, just need communication to ensure they're being addressed.

Harry: Respond to original email?

Ryan: Will do.

<rsleevi> ACTION: rsleevi to respond to Dr. Boneh's issues email [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action02]

<trackbot> Created ACTION-117 - Respond to dr. boneh's issues email [on Ryan Sleevi - due 2013-10-21].

Harry: What issues should be addressed in F2F? Need a draft agenda.

Ryan: Put together finalized doc. Should skip in favour of putting together new draft before F2F to give enough time to review.
... people should have time to review before F2F

<hhalpin> I think the issues that need to be added are the draft solution re key wrapping

Ryan: need to get draft in final review
... during implementation on Chrome side, issues brought up
... need to understand Microsoft implementation
... any broad or concerning text?

<hhalpin> Anyone from Mozilla on phone?

Ryan: call or review? Prefer review.

Harry: Purpose of call to remind to review.
... need to also request review from Mozilla
... anybody from Mozilla handling API?

<rsleevi> we can hear you

<hhalpin> ddahl has left Mozilla

Arun: Currently no implemention since David left.
... won't be able to attend F2F
... can still review and interact with implementers

Israel: Trying to figure out how promises maps to long-term strategy.
... when can implement it
... mapping to current spec

Harry: Main thing to do: implementation experience section to walk through common problems.
... like to get new version before F2F
... have people from W3C to do reviews after last call
... Graham Steel's group will be available

<MichaelH> What % of spec has been implemented so far?

Harry: any major open issues?
... Promises is outside of WebCrypto scope.

Israelh: No objection, just timeframe.
... when can bake it into platform
... need feedback on overall implementation before sending to group

Harry: Anything else to cover in F2F?

Ryan: Have a number of members representing non-UA.
... during review, instead of implementation concerns, like to see members representing smart cards, etc. putting together problem statements
... so we can merge interests to look for next steps.

<hhalpin> 2. Session on use-cases from non-implementers

Ryan: any common themes in problems

<hhalpin> ideally with problem statements/docs emailed out beforehand

Israel?: Great example is work that Netflix has done

scribe: Netlfix has real-world experience using API, so would be interesting to share that info

<rsleevi> +1 to Israel's comments

<MichaelH> Is Mark Watson going to F2F?

Harry: Will check on anybody from Netflix going.

<hhalpin> We're meeting for two days :)

Harry: 1st day: implementation concerns. 2nd day: problems missing solutions currently?

<MichaelH> How about Wednesday?

Ryan: Should interleave the issues to allow more discussion.

<arunranga> hhalpin, if possible, a dial-in for some of the sessions would be great if feasible.

<hhalpin> Wednesday will be quite busy with AC

Ryan: mixing would be productive and refreshing.

Harry: Challenge is to get use cases emailed out ahead of time to form agenda.
... Will put a call out for putting forward the use cases.

Israel: Possible to have Netflix do a demo at EOD 1

<hhalpin> Netflix demo on day 1

Israel: for good example of how to use

Harry: Will send call out
... Time to close the call?

Michael: Hoping somebody else could contribute to key discovery implementation

<hhalpin> ACTION: hhalpin to send out call for use-cases for Crypto API [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action03]

<trackbot> Created ACTION-118 - Send out call for use-cases for crypto api [on Harry Halpin - due 2013-10-21].

Michael: over email is fine

IsraelH: Anybody from Brazil involved in key management?

Harry: W3C office in Brazil, but not sure what's going on

Israel: Will do more research to find specific person

Harry: Can send the email, just need to know to whom.

<hhalpin> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: Arun to bug-fix use cases document with removed banking use case. [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action01]
[NEW] ACTION: hhalpin to send out call for use-cases for Crypto API [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action03]
[NEW] ACTION: rsleevi to respond to Dr. Boneh's issues email [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013-10-14 21:01:30 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/[missed name]/sangrae/
Succeeded: s/Arun/Israelh/
Succeeded: s/[unknown]/IsraelH/
No ScribeNick specified.  Guessing ScribeNick: bryaneyler
Inferring Scribes: bryaneyler
Default Present: +90533302aaaa, mete, hhalpin, Michael_Hutchinson, JYates, arunranga, bryaneyler, +1.650.214.aabb, nvdbleek, sangrae, [Microsoft], karen_oDonoghue
Present: +90533302aaaa mete hhalpin Michael_Hutchinson JYates arunranga bryaneyler +1.650.214.aabb nvdbleek sangrae [Microsoft] karen_oDonoghue

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 14 Oct 2013
Guessing minutes URL: http://www.w3.org/2013/10/14-crypto-minutes.html
People with action items: arun hhalpin rsleevi

[End of scribe.perl diagnostic output]