Meeting minutes
[sharing slides: https://
Veronica: I am italian crypgographer from telsy, with a math background, working in SING
… I am working on Cryptography usage in Web Standards
Slideset: https://
Simone: the idea is to have a guide for choosing algorithms in web standardization
Veronica: the idea for the breakout is providing info about the document, collecting feedback also in issues/PRs
… also if someone would like to joint the effort
… why this, several standards use cryptographic primitives, and it is important to understand which one to use depending on the specific usage, also for the different parameters
… providing a reference for recommended use in different context
… and there is no a single document to provide this list
… and can be useful for spec developers and for doing reviews
Veronica: After the intro and terminology, we have the list of SDOs divided into national, international, or regional, identfying different roles
… section 3 there are the services, the objective we need to achieve with cryptography
… then section 4 for keys. and recommendation e.g., on key lenght
… then section 5 on crypto agility on the ability to update ad algo
… also section 6 on the importance of PQC
… I am thinking to merge them in a section
… then the section 7 is the most technical part on the usage, divided in different subsections
… in each subsections we have the primitives and reccomendations
Veronica: we can go deep here https://
<Andante> verocri I think we don't hear you
Veronica: After some terminology and definitions of SDOs with different types
… there are some bodies to standardize algos, other implementations
Matt: Which is the scope of this section?
Veronica: to have a list of reccomended source of information
Anna: my suggestion is to have the primitives with links
… e.g., having SHA, when it is defined
… w/o googling
… e.g., like in Section 7.4 it is good
Ivan: I came in the crypto from the outside, a document like this can be useful
… and this is not a spec
Anna: I am more into keeping this section 2.1 out, as the Note is alredy big
Matt: maybe it is too detailed for a web developer, for the use case of a web developer
… or having two documents
… e.g., an overview of the status of cryptography
… and another one
Ivan: having an overview it is important, from the outside
… we're talking about crypto for web standards
Matt: sometimes, a WG using crypto, should have a cryptographer
Sean_Turner: on one side, the question is, not to use your own crypto, use other things
Matt: We often rely on the IETF, and going with national bodies it can be complex
Simone: as we're worldwide, we should have a worldwide point of view
Veronica: thank you for all the feedback
… we can continue on the next section, following up on github
… on security services we hasve teh definitions
… crosslinking section 7
[description of the various services]
<simone> s/[lisri]/[description of the various services]/
also with some misconceptions
Sean_Turner: this is well defined, and clear, so that people have a common ground
… then section 4 for cryptographic keys and principles of a cryptographic system
… and how it is important to keep the keys private
… thank you Anna for the issue relative to this section, about defining symmetric vs asymmetric encryption
Anna: We also need to have a threat model
Simone: we refer in this guide to the threat modeling guide
Anna: we can talk later on about the level of details
… needed
… crypto agility and Post-quantum Cryptography (PQC) are important for the audience, thiking to merge in a unique section
… section 7 presents the primitives, in a deeper level
… with some reccomendations
Anna: I have an issue related to curves, also maybe PQC and non-PQC should be togheter
… w3c/
… maybe it is also useful to include for each usage, PQC, and not PQC
… we can discuss later
Bert: to ask if there is an explanation of the reasons behind the note in 7.2 about preferring symmetric. Is it for performance reasons?
Anna: yes, for performance
<Zakim> Bert, you wanted to ask if there is an explanation of the reasons behind the note in 7.2.about preferring symmetric. Is it for performance reasons?
Kazue: I am not sure about Data Encryption, maybe we can use long messaging encryption
… e.g., in an hybrid environment
… with KEM
… data is generic, it should be discouraged for long, not for short messages
Veronica: ok, thank you for your feedback. as I categorized in a different way
Bert: some of the notes should probably be styled differently, as there are notes that seem to actually be recommendations while other notes are just explanations.
Veronica: ok, make distinctions from notes and reccomendations
… visually
<simone> s/@@1/Sean