19:32:54 <RRSAgent> RRSAgent has joined #crypto
19:32:54 <RRSAgent> logging to http://www.w3.org/2013/09/30-crypto-irc
19:32:56 <trackbot> RRSAgent, make logs public
19:32:56 <Zakim> Zakim has joined #crypto
19:32:58 <trackbot> Zakim, this will be SEC_WebCryp
19:32:58 <Zakim> ok, trackbot; I see SEC_WebCryp()4:00PM scheduled to start in 28 minutes
19:32:59 <trackbot> Meeting: Web Cryptography Working Group Teleconference
19:32:59 <trackbot> Date: 30 September 2013
19:36:37 <tobie> tobie has joined #crypto
19:51:18 <sangrae> sangrae has joined #crypto
19:53:39 <mete> mete has joined #crypto
19:54:01 <wseltzer> wseltzer has changed the topic to: WebCrypto call 30 Sept. 4pm US Eastern time
19:55:38 <Zakim> SEC_WebCryp()4:00PM has now started
19:55:46 <Zakim> + +90533302aaaa
19:56:05 <Zakim> +Wendy
19:56:46 <virginie> virginie has joined #crypto
19:57:05 <virginie> agenda?
19:57:06 <mete> zakim, aaaa is mete
19:57:07 <Zakim> +mete; got it
19:57:16 <virginie> agenda+ welcome
19:57:36 <virginie> agenda+ web crypto api review by Dan
19:58:07 <virginie> agenda+ integrating the words for extractability in Web Crypto API
19:58:12 <kodonog> kodonog has joined #crypto
19:58:32 <virginie> agenda+ michael proposal to extend key discovery
19:58:34 <Zakim> +[Microsoft]
19:58:46 <virginie> agenda+ F2F meeting and other group life items
19:58:51 <Zakim> +[IPcaller]
19:59:07 <karen> karen has joined #crypto
19:59:18 <Zakim> + +1.540.809.aabb
19:59:23 <wseltzer> zakim, Microsoft has selfissued
19:59:23 <Zakim> +selfissued; got it
19:59:54 <jyates> jyates has joined #crypto
20:00:00 <Zakim> +Arun_Ranganathan
20:00:02 <Zakim> + +1.512.257.aacc
20:00:03 <jimsch> jimsch has joined #crypto
20:00:11 <wseltzer> zakim, aabb is probably kodonog
20:00:11 <Zakim> +kodonog?; got it
20:00:18 <MichaelH> MichaelH has joined #crypto
20:00:20 <Zakim> + +1.650.725.aadd
20:00:50 <Zakim> + +1.512.257.aaee
20:00:50 <wseltzer> zakim, aadd is Dan_Boneh
20:00:52 <Zakim> +Dan_Boneh; got it
20:00:52 <Zakim> + +1.617.253.aaff
20:01:00 <Zakim> + +1.512.257.aagg
20:01:10 <wseltzer> zakim, who is herre?
20:01:10 <Zakim> I don't understand your question, wseltzer.
20:01:13 <wseltzer> zakim, who is here?
20:01:13 <Zakim> On the phone I see mete, Wendy, [Microsoft], [IPcaller], kodonog?, Arun_Ranganathan, +1.512.257.aacc, Dan_Boneh, +1.617.253.aaff, +1.512.257.aaee, +1.512.257.aagg
20:01:16 <Zakim> [Microsoft] has selfissued
20:01:16 <Zakim> On IRC I see MichaelH, jimsch, jyates, karen, kodonog, virginie, mete, sangrae, tobie, Zakim, RRSAgent, wseltzer, timeless, slightlyoff, trackbot, eroman
20:01:20 <wseltzer> zakim, aaff is jyates
20:01:20 <Zakim> +jyates; got it
20:01:26 <MichaelH> Zakim, aaee is me
20:01:26 <Zakim> +MichaelH; got it
20:01:31 <Zakim> + +1.661.748.aahh
20:01:38 <wseltzer> zakim, aagg is karen
20:01:39 <Zakim> +karen; got it
20:01:51 <wseltzer> zakim, aacc is virginie
20:01:51 <Zakim> +virginie; got it
20:01:55 <wseltzer> zakim, who is here?
20:01:55 <Zakim> On the phone I see mete, Wendy, [Microsoft], [IPcaller], kodonog?, Arun_Ranganathan, virginie, Dan_Boneh, jyates, MichaelH, karen, +1.661.748.aahh
20:01:57 <Zakim> [Microsoft] has selfissued
20:01:57 <Zakim> On IRC I see MichaelH, jimsch, jyates, karen, kodonog, virginie, mete, sangrae, tobie, Zakim, RRSAgent, wseltzer, timeless, slightlyoff, trackbot, eroman
20:02:04 <jimsch> zakrim, [ipcaller] is jimsch
20:02:07 <wseltzer> zakim, aahh is Sangrae
20:02:07 <Zakim> +Sangrae; got it
20:02:26 <virginie> agenda?
20:02:49 <Zakim> +[GVoice]
20:03:17 <wseltzer> zakim, GVoice is Brian
20:03:17 <Zakim> +Brian; got it
20:03:20 <bryaneyler> bryaneyler has joined #crypto
20:03:31 <wseltzer> zakim, Brian is really BryanEyler
20:03:31 <Zakim> +BryanEyler; got it
20:03:38 <virginie> zakim, who is on the call
20:03:38 <Zakim> I don't understand 'who is on the call', virginie
20:03:47 <virginie> zakim, who is here?
20:03:47 <Zakim> On the phone I see mete, Wendy, [Microsoft], [IPcaller], kodonog?, Arun_Ranganathan, virginie, Dan_Boneh, jyates, MichaelH, karen, Sangrae, BryanEyler
20:03:50 <Zakim> [Microsoft] has selfissued
20:03:50 <Zakim> On IRC I see bryaneyler, MichaelH, jimsch, jyates, karen, kodonog, virginie, mete, sangrae, tobie, Zakim, RRSAgent, wseltzer, timeless, slightlyoff, trackbot, eroman
20:04:11 <jimsch> zakim, [ipcaller] is jimsch
20:04:12 <Zakim> +jimsch; got it
20:04:46 <hhalpin> hhalpin has joined #crypto
20:05:04 <virginie> agenda?
20:05:40 <Zakim> +[IPcaller]
20:05:48 <hhalpin> Zakim, [IPcaller] is hhalpin
20:05:48 <Zakim> +hhalpin; got it
20:05:51 <israelh> israelh has joined #Crypto
20:06:09 <wseltzer> chair: Virginie
20:06:44 <wseltzer> zakim, pick a scribe
20:06:44 <Zakim> Not knowing who is chairing or who scribed recently, I propose kodonog?
20:06:46 <Zakim> +[Microsoft.a]
20:06:56 <kodonog> ok
20:07:21 <kodonog> scribe
20:07:25 <MichaelH> Question: Is neither Editor online?
20:07:36 <wseltzer> zakim, Microsoft.a has israelh
20:07:36 <Zakim> +israelh; got it
20:07:43 <virginie> http://www.w3.org/2013/09/16-crypto-minutes.html
20:07:44 <wseltzer> scribenick: kodonog
20:08:04 <MichaelH> +q
20:08:35 <kodonog> minutes from 16 September 2013 approved
20:09:06 <jimsch> wendy, when are minutes going to get posted to the website?
20:09:33 <jimsch> yes
20:09:36 <kodonog> Dan's comments...
20:09:36 <hhalpin> The minutes are always sent out over the mailing list
20:09:45 <hhalpin> but nonetheless, we can try to do that before TPAC 2013.
20:10:14 <virginie> Dan comment are available under http://lists.w3.org/Archives/Public/public-webcrypto/2013Sep/0054.html
20:10:25 <kodonog> Section 5 - security considerations
20:11:14 <kodonog> 5.2 3rd paragraph, keys might be accessible to end user, end user might have access to plain text data in addition to keys
20:11:18 <virginie> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#security-developers
20:12:03 <kodonog> surprised that there is no consideration of the platform itself... add a paragraph talking about the need for strong randomness,
20:12:21 <wseltzer> q+ to ask, should we raise issues for any of these?
20:12:37 <hhalpin> Yes, I would raise issues for this, at least stating it in an informative way.
20:12:39 <MichaelH> ack
20:12:42 <hhalpin> q+
20:12:42 <kodonog> Virginie: we had discussion about strong random, most of the randomness is strong but it isn't stated in the spec
20:12:45 <wseltzer> ack MichaelH
20:12:59 <kodonog> Dan: security considerations is where this could go
20:13:20 <israelh> q+
20:13:43 <arunranga> arunranga has joined #crypto
20:13:45 <kodonog> Sec 9, no mention that the random generator might fail
20:13:56 <hhalpin> I'll go after Israel, as this is an implementation issue
20:13:57 <wseltzer> q?
20:13:57 <hhalpin> q-
20:14:00 <hhalpin> q+
20:14:10 <arunranga> q?
20:14:20 <arunranga> zakim, who is on the call?
20:14:20 <Zakim> On the phone I see mete, Wendy, [Microsoft], jimsch, kodonog?, Arun_Ranganathan, virginie, Dan_Boneh, jyates, MichaelH, karen, Sangrae, BryanEyler, hhalpin, [Microsoft.a]
20:14:23 <Zakim> [Microsoft] has selfissued
20:14:23 <Zakim> [Microsoft.a] has israelh
20:15:09 <kodonog> Wendy: we should add issues into the tracker for each of these points
20:15:31 <wseltzer> ack wseltzer
20:15:31 <Zakim> wseltzer, you wanted to ask, should we raise issues for any of these?
20:15:39 <kodonog> Harry is happy to raise the issues in the tracker since he asked for the review
20:16:33 <kodonog> Israel: How is this statement different than any plaintext that you would store in the browser? Perceived expections of the end user
20:17:46 <wseltzer> ack israelh
20:18:23 <kodonog> Dan: The developer may have some expectation that when he decrypts ciphertext on the end point it isn't visible to the end user, but that isn't the case.
20:18:52 <wseltzer> +1 re warnings on entropy failure
20:18:55 <kodonog> Bigger issue is the question of entropy and the fact that the random number generator might fail
20:19:30 <kodonog> Harry: We can't make entropy guarantees... should we provide more of a warning...
20:19:49 <Zakim> -jimsch
20:20:22 <kodonog> Dan: they fail when their entropy state is too low.
20:20:33 <Zakim> +[IPcaller]
20:20:55 <kodonog> Harry: both these issues could be dealt with informative notes
20:21:30 <hhalpin> q- hhalpin
20:22:09 <virginie> commenting now section 13 https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#subtlecrypto-interface
20:23:06 <wseltzer> zakim, [IPc is jimsch
20:23:06 <Zakim> +jimsch; got it
20:24:09 <wseltzer> q?
20:24:11 <MichaelH> +q
20:24:36 <kodonog> Dan: Section 13 - (see comment in email) suggestion is to expand the symmetric encryption encrypt interface and add two additional argument (nonce and associatedData)
20:24:58 <mete> +1 to nonce and associatedData
20:25:05 <wseltzer> q?
20:25:32 <wseltzer> ack MichaelH
20:25:50 <kodonog> moving onto... associatedData is not an algorithm parameter should be an input
20:26:53 <kodonog> Israel: you aren't saying it isn't workable just that it looks odd given the semantics of the data that is being passed
20:27:20 <kodonog> Dan: true, it is workable, but I'm concerned it will confuse the developers and result in insecure implementations
20:27:29 <MichaelH> +q
20:27:34 <virginie> q?
20:27:57 <kodonog> MichaelH: there is nothing to guarantee that with the nonce being passed in, that they will change it...
20:28:03 <wseltzer> Dan: as-worded, risks suggesting that developers re-use nonce, resulting in insecure implementation
20:28:22 <kodonog> Dan: that's true, but at least if it is being passed in it would suggest to the developer that the nonce would be changed
20:29:06 <selfissued> selfissued has joined #crypto
20:29:07 <kodonog> Section 17: there are algorithms listed there that really should not be used!
20:29:10 <arunranga> Maybe we could break out backward compat as a separate section.
20:29:16 <Zakim> +[Microsoft.aa]
20:29:23 <selfissued> q+
20:29:47 <MichaelH> ack MichaelH
20:30:22 <kodonog> Understand that some algorithms are needed for backward compatibility, but it needs to be really clear that these algorithms should not be used in general.
20:30:44 <kodonog> Mike Jones: agree we should be passing the nonce parameter in (backing up to the previous issue)
20:30:47 <kodonog> Dan:
20:32:15 <kodonog> DF and ECDF are basically the same and should be treated as such, only difference is the parameter (prime and curve)
20:32:24 <hhalpin> sounds sensible to me.
20:32:34 <hhalpin> q+
20:32:50 <wseltzer> ack selfissued
20:32:52 <wseltzer> ack hhalpin
20:33:11 <kodonog> move closer together and make the descriptions the same
20:34:53 <kodonog> Harry: we've had real difficulty in how to separate out those algorithms that are included for backwards compatibility
20:35:22 <kodonog> what specific warnings should we give developers about choosing algorithm... per algorithm informative warning note?
20:35:29 <MichaelH> Deprecated!
20:36:01 <kodonog> options: put known bad algorithms in a specific box or create per algorithm warning
20:36:08 <hhalpin> The term "deprecated" might be the best
20:36:40 <selfissued> q+
20:36:41 <hhalpin> +1
20:36:47 <kodonog> Basic issue is that recommended algorithms are not all really recommended
20:36:58 <kodonog> Perhaps add a sentence about deprecated algorithms at the end
20:37:15 <wseltzer> Dan: specifically, don't recommend AES-CBC
20:37:44 <kodonog> Mike: AES-CBC can be used with an integrity function
20:38:33 <jimsch> McGrew draft is encrypt then mac
20:38:42 <kodonog> Dan: encouraging developers to create their own combinations of AES-CBC with integrity is almost guaranteed to create insecure implement ions...
20:38:46 <kodonog> Dan'
20:38:47 <wseltzer> Dan: of the 7 ways to use AES-CBC with authentication, 6 are wrong
20:39:13 <wseltzer> ... use AES-GCM instead
20:39:56 <kodonog> MIke: McGrew's draft progressing in the IETF
20:40:37 <kodonog> Dan: if that is the case, that algorithm should be added to the document (McGrew's draft)...
20:41:34 <kodonog> Dan: the API should provide that implementation, developers should not build that on their own
20:41:41 <hhalpin> that's AES-ESP you'd recommend?
20:42:04 <jimsch> McGrew draft is http://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/
20:43:06 <virginie> q?
20:43:22 <virginie> ack selfissued
20:43:28 <wseltzer> [answer was AES-GCM]
20:43:49 <wseltzer> Dan: add acces to AES block ciphers (
20:44:00 <kodonog> Dan: on the list of ciphers there is no raw access to AES (AES block cipher), developers will need this if they are going to use algorithms outside the list
20:44:06 <wseltzer> s/(//
20:44:11 <hhalpin> q+
20:44:21 <MichaelH> +q
20:45:05 <kodonog> Dan: AES-CFB shouldn't be on the list
20:45:50 <selfissued> The McGrew draft is http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-02
20:47:28 <kodonog> PBKDF2, different user agents have different computing power, the number of iterations too high might be too much for low computing power devices, and the number to low will impact security. Need some discussion on how to set the number of iterations
20:48:25 <hhalpin> 20,000->200,000?
20:48:32 <hhalpin> What is precise numbers recommended?
20:48:35 <kodonog> Two examples... weak home routers use 2000 iterations, MAC uses 200,000 iterations ... maybe provide three key words (weak, intermediate, and strong with some guidance on what those numbers might be...
20:48:36 <hhalpin> Perhaps as an informative note
20:49:12 <israelh> Is user agent what you meant or devices.  You could potentially have the same user agent running on different devices which could affect performance?
20:49:16 <kodonog> hesitant to include numbers in standard because as devices progress numbers that make sense will change
20:49:23 <israelh> q+
20:49:36 <kodonog> Virginie: would like data or references to help the group
20:50:06 <kodonog> Harry: (??? can't understand him)
20:50:12 <arunranga> Super hard to hear hhalpin
20:51:09 <kodonog> how would you be extensible?
20:51:58 <kodonog> Dan: 90% of the implementations use one of the curves we specify... TLS there is support for using unnamed curves.
20:52:11 <MichaelH> Addition of any new alg/property can be done using 17.3. Defining an algorithm
20:52:25 <kodonog> not suggesting you go that far, but it is very likely within a few months there will be additional curves that will be popular
20:52:51 <jimsch> The recent NSA news has pushed the Brain Trust curves to the forefront for reasons of paranoia
20:53:04 <virginie> q?
20:53:07 <kodonog> should be prepared, developers will want to use curve 25509 (from scribe - not sure this ref is correct)
20:53:22 <wseltzer> s/25509/25519 (djb)/
20:53:41 <wseltzer> s/(from scribe - not sure this ref is correct)
20:53:43 <wseltzer> s/(from scribe - not sure this ref is correct)//
20:54:29 <MichaelH> ack MichaelH
20:54:29 <wseltzer> ack israelh
20:54:43 <kodonog> mechanism for additional curves available via registry... which takes this issue away.
20:55:01 <hhalpin> Where is pointer to registry?
20:55:15 <kodonog> Israel: do you mean user agent or device?
20:55:19 <mete> +q
20:55:33 <kodonog> Dan: I mean the combination of user agent and device
20:56:52 <kodonog> Dan: I was just suggesting that additional information be provided about how to choose the number of iterations (developer has to define this number). Guidance about specific numbers would change over time.
20:57:10 <hhalpin> ok, issues opened
20:58:04 <virginie> q?
20:58:36 <kodonog> Comparison with webgl... but the difference is that here the number of iterations has to be the same across implementations, whereas webgl moves to lower resolution on lower power deveices
20:58:44 <wseltzer> ack hh
20:59:09 <wseltzer> ack mete
20:59:38 <kodonog> Harry: Dan would you be willing to review again after we've had time to resolve your issues?
20:59:45 <kodonog> Dan: yes
21:00:18 <israelh> q+
21:00:39 <israelh> q-
21:01:11 <virginie> q?
21:01:18 <kodonog> example should be GCM not CBC
21:01:46 <selfissued> My thanks to Dan for his comments
21:02:08 <arunranga> +1 selfissued
21:02:47 <israelh> +1
21:02:52 <wseltzer> thanks Dan, and group!
21:02:58 <Zakim> -Sangrae
21:03:00 <Zakim> -jyates
21:03:01 <Zakim> -jimsch
21:03:01 <Zakim> -[Microsoft.a]
21:03:02 <Zakim> -hhalpin
21:03:03 <Zakim> -Dan_Boneh
21:03:04 <Zakim> -MichaelH
21:03:04 <Zakim> -Arun_Ranganathan
21:03:05 <Zakim> -Wendy
21:03:05 <Zakim> -karen
21:03:07 <Zakim> -[Microsoft]
21:03:08 <Zakim> -mete
21:03:09 <Zakim> -kodonog?
21:03:09 <Zakim> -[Microsoft.aa]
21:03:10 <Zakim> -BryanEyler
21:03:11 <Zakim> SEC_WebCryp()4:00PM has ended
21:03:11 <Zakim> Attendees were +90533302aaaa, Wendy, mete, +1.540.809.aabb, selfissued, Arun_Ranganathan, +1.512.257.aacc, kodonog?, +1.650.725.aadd, +1.512.257.aaee, Dan_Boneh, +1.617.253.aaff,
21:03:11 <Zakim> ... +1.512.257.aagg, jyates, MichaelH, +1.661.748.aahh, karen, virginie, Sangrae, BryanEyler, jimsch, hhalpin, [Microsoft], israelh, [IPcaller]
21:04:29 <wseltzer> trackbot, end teleconf
21:04:29 <trackbot> Zakim, list attendees
21:04:29 <Zakim> sorry, trackbot, I don't know what conference this is
21:04:37 <trackbot> RRSAgent, please draft minutes
21:04:37 <RRSAgent> I have made the request to generate http://www.w3.org/2013/09/30-crypto-minutes.html trackbot
21:04:38 <trackbot> RRSAgent, bye
21:04:38 <RRSAgent> I see no action items