06:37:46 <RRSAgent> RRSAgent has joined #cryptography-guidelines
06:37:50 <RRSAgent> logging to https://www.w3.org/2025/11/12-cryptography-guidelines-irc
06:37:50 <breakout-bot> RRSAgent, do not leave
06:37:51 <breakout-bot> RRSAgent, this meeting spans midnight
06:37:51 <breakout-bot> RRSAgent, make logs public
06:37:52 <breakout-bot> Meeting: Cryptography Usage Guideline in Web Standards
06:37:53 <breakout-bot> Chair: Veronica Cristiano, Simone Onofri
06:37:53 <breakout-bot> Agenda: https://github.com/w3c/tpac2025-breakouts/issues/40
06:37:53 <Zakim> Zakim has joined #cryptography-guidelines
06:37:54 <breakout-bot> Zakim, clear agenda
06:37:55 <Zakim> agenda cleared
06:37:55 <breakout-bot> Zakim, agenda+ Pick a scribe
06:37:56 <Zakim> agendum 1 added
06:37:56 <breakout-bot> Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy
06:37:57 <Zakim> agendum 2 added
06:37:57 <breakout-bot> Zakim, agenda+ Goal of this session
06:37:57 <Zakim> agendum 3 added
06:37:57 <breakout-bot> Zakim, agenda+ Discussion
06:37:59 <Zakim> agendum 4 added
06:37:59 <breakout-bot> Zakim, agenda+ Next steps / where discussion continues
06:37:59 <Zakim> agendum 5 added
06:37:59 <breakout-bot> Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting
06:38:00 <Zakim> agendum 6 added
06:38:01 <breakout-bot> breakout-bot has left #cryptography-guidelines
07:03:45 <tantek-projector> tantek-projector has joined #cryptography-guidelines
07:18:04 <verocri> verocri has joined #cryptography-guidelines
07:18:28 <simone> simone has joined #cryptography-guidelines
07:18:49 <JennieM7> JennieM7 has joined #cryptography-guidelines
07:18:49 <JennieM7> JennieM7 has left #cryptography-guidelines
07:18:49 <Andante> Andante has joined #cryptography-guidelines
07:19:18 <ivan> ivan has joined #cryptography-guidelines
07:19:28 <JennieM> JennieM has joined #cryptography-guidelines
07:19:29 <ivan> present+
07:19:37 <JennieM> present+
07:20:00 <Andante> present+
07:20:02 <yasushi_Sony> yasushi_Sony has joined #cryptography-guidelines
07:20:25 <ewooton> ewooton has joined #cryptography-guidelines
07:21:07 <simone> present+
07:21:32 <Bert> Bert has joined #cryptography-guidelines
07:22:21 <Kazue> Kazue has joined #cryptography-guidelines
07:23:09 <Bert> present+ Bert Bos
07:23:54 <simone> [sharing slides: https://docs.google.com/presentation/d/1A8O9hHJvpLIr9tgWcFtDaAn5-FH8bCXyEf34ZrPBW04/edit?usp=sharing]
07:24:31 <simone> Veronica: I am italian crypgographer from telsy, with a math background, working in SING
07:24:51 <simone> ... I am working on Cryptography usage in Web Standards
07:25:20 <Bert> slideset: https://docs.google.com/presentation/d/1A8O9hHJvpLIr9tgWcFtDaAn5-FH8bCXyEf34ZrPBW04/edit?usp=sharing
07:25:24 <Bert> [slide 1]
07:25:27 <Bert> [slide 2]
07:25:36 <Bert> [slide 3]
07:26:15 <Roger> Roger has joined #cryptography-guidelines
07:27:24 <simone> Simone: the idea is to have a guide for choosing algorithms in web standardization
07:28:00 <simone> Veronica: the idea for the breakout is providing info about the document, collecting feedback also in issues/PRs
07:28:10 <simone> ... also if someone would like to joint the effort
07:29:09 <Bert> i/Simone/[slide 4]
07:29:13 <simone> ... why this, several standards use cryptographic primitives, and it is important to understand which one to use depending on the specific usage, also for the different parameters
07:29:19 <Bert> i/Veronica/[slide 5]
07:29:33 <simone> ... providing a reference for recommended use in different context
07:30:06 <simone> ... and there is no a single document to provide this list
07:30:30 <simone> ... and can be useful for spec developers and for doing reviews
07:30:57 <Bert> [slide 6]
07:31:43 <simone> Veronica: After the intro and terminology, we have the list of SDOs divided into national, international, or regional, identfying different roles
07:33:29 <watanabe> watanabe has joined #cryptography-guidelines
07:33:34 <simone> ... section 3 there are the services, the objective we need to achieve with cryptography
07:33:34 <simone> ... then section 4 for keys. and recommendation e.g., on key lenght
07:33:34 <simone> ... then section 5 on crypto agility on the ability to update ad algo
07:33:34 <simone> ... also section 6 on the importance of PQC
07:33:36 <simone> ... I am thinking to merge them in a section
07:33:36 <simone> ... then th section 7 is the most technical part on the usage, divided in different subsections
07:33:54 <simone> ... in each subsections we have the primitives and reccomendations
07:34:11 <Bert> [slide 7]
07:34:54 <simone> Veronica: we can go deep here https://w3c.github.io/security-guidelines-cryptography/
07:35:55 <Andante> verocri I think we don't hear you
07:36:04 <Bert> s/ th / the /
07:38:35 <simone> Veronica: After some terminology and definitions of SDOs with differnet types
07:39:17 <Bert> s/differnet/different/
07:40:52 <simone> ... there are some bodies to standardize algos, other implementations
07:41:13 <simone> Matt: Which is the scope of this section?
07:42:01 <simone> Veronica: to have a list of reccomended source of information
07:42:50 <simone> Anna: my suggestion is to have the primitives with links
07:43:07 <simone> ... e.g., having SHA, when it is defined
07:43:29 <simone> ... w/o googling
07:44:18 <simone> ... e.g., like in Section 7.4 it is good
07:44:45 <simone> Ivan: I came in the crypto from the outside, a document like this can be useful
07:45:08 <simone> ... and this is not a spec
07:46:27 <simone> Anna: I am more into keeping out, as the Note is alredy big
07:49:01 <simone> Matt: maybe it is too detailed for a web developer, for the use case of a web developer
07:49:08 <simone> ... or having two documents
07:49:23 <simone> ... e.g., an overview of the status of cryptography
07:49:26 <simone> ... and another one
07:49:47 <simone> Ivan: having an overview it is important, from the outside
07:50:03 <simone> ... we're talking about crypto for web standards
07:51:10 <simone> Matt: sometimes, a WG using crypto, should have a cryptographer
07:52:43 <Bert> s/keeping out/keeping this section 2.1 out/
07:54:42 <simone> @@1: on one side, the question is, not to use your own crypto, use other things
07:54:42 <simone> Matt: We often rely on the IETF, and going with national bodies it can be complex
07:54:42 <simone> Simone: as we're worldwide, we should have a worldwide point of view
07:54:56 <simone> Veronica: thank you for all the feedback
07:55:12 <simone> ... we can continue on the next section, following up on github
07:55:33 <simone> ... on security services we hasve teh definitions
07:55:58 <simone> ... crosslinking section 7
07:56:43 <simone> [lisri]
07:57:00 <simone> s/[lisri]/[description of the various services]
07:57:07 <simone> s/[lisri]/[description of the various services]/
07:57:15 <simone> ... also with some misconceptions
07:58:50 <simone> @@1: this is well defined, and clear, so that people have a common ground
07:59:05 <Bert> s/@@1/Sean_Turner/g
07:59:26 <simone> ... then section 4 for cryptographic keys and principles of a cryptographic system
07:59:40 <simone> ... and how it is important to keep the keys private
08:00:12 <simone> ... thank you Anna for the issue relative to this section
08:00:52 <simone> Anna: We also need to have a threat model
08:02:15 <Bert> s/section/section, about defining symmetric vs asymmetric encryption
08:02:16 <simone> Simone: we refer this guide to the threat modeling guide
08:02:44 <Bert> s/this/in this/
08:02:51 <simone> Anna: we can talk later on about the level of details
08:02:56 <simone> ... needed
08:04:00 <simone> ... crypto agility and PQC are important for the audience, thiking to merge in a unique section
08:04:23 <simone> ... section 7 presents the primitives, in a deeper level
08:05:06 <simone> ... with some reccomendations
08:05:13 <Bert> s/PQC/Post-quantum Cryptography (PQC)
08:08:00 <simone> Anna: I have an issue related to curves, also maybe PQC and non-PQC should be togheter
08:08:22 <simone> ... https://github.com/w3c/security-guidelines-cryptography/issues/5
08:09:12 <Bert> q+ to ask if there is an explanation of the reasons behind the note in 7.2.about preferring symmetric. Is it for performance reasons?
08:09:27 <simone> ... maybe it is also useful to include for each usage, PQC, and not PQC
08:10:13 <simone> ... we can discuss later
08:10:24 <Kazue> q
08:10:30 <Kazue> q+
08:10:50 <simone> Bert: to ask if there is an explanation of the reasons behind the note in 7.2 about preferring symmetric. Is it for performance reasons?
08:10:50 <simone> Anna: yes, for performance
08:10:57 <Bert> ack me
08:10:58 <Zakim> Bert, you wanted to ask if there is an explanation of the reasons behind the note in 7.2.about preferring symmetric. Is it for performance reasons?
08:11:36 <simone> ack Kaz
08:12:12 <simone> Kazue: I am not sure about Data Encryption, maybe we can use long messaging encryption
08:12:58 <simone> ... e.g., in an hybrid environment
08:14:36 <simone> ... with KAM
08:14:42 <simone> s/KAM/KEM/
08:15:13 <simone> ... data is generic, it should be discouraged for long, not for short messages
08:16:10 <simone> Veronica: ok, thank you for your feedback. as I categorized in a different way
08:16:10 <Bert> q+ to ask (maybe later) if some of the notes shouldn't be styled differently, as there are notes that seem to actually be recommendations while other notes are just explanations.
08:16:38 <simone> Bert: some of the notes shouldn't be styled differently, as there are notes that seem to actually be recommendations while other notes are just explanations.
08:17:18 <simone> Veronica: ok, make distinctions from notes and reccomendations
08:17:23 <simone> ... visually
08:18:10 <Bert> s/shouldn't/should probably/
08:19:34 <simone> RRSagent, draft minutes
08:19:36 <RRSAgent> I have made the request to generate https://www.w3.org/2025/11/12-cryptography-guidelines-minutes.html simone
08:40:27 <simone> s/@@1/Sean
08:40:30 <simone> RRSagent, draft minutes
08:40:32 <RRSAgent> I have made the request to generate https://www.w3.org/2025/11/12-cryptography-guidelines-minutes.html simone
13:43:17 <tidoust> tidoust has joined #cryptography-guidelines
13:43:22 <tidoust> RRSAgent, bye
13:43:22 <RRSAgent> I see no action items