See also: IRC log
<trackbot> Date: 14 October 2013
<hhalpin> Who is GVoice and IPcaller?
<sangrae> this is sangrae calling from Skype
<hhalpin> mountie, want to introduce?
<hhalpin> http://mountielee.github.io/webcertapi/webcertapi_draft.html
<MichaelH> W3C Editor’s Draft 11 October 2013
<hhalpin> Oct 11trh?
<hhalpin> Which API?
<hhalpin> has the link?
sangrae: presenting webcert API;
latest version not on web yet
... Latest update changes use cases ...
... previous, focus on certs for Korean banking, but violates
same origin policies. ...
<scribe> ... New focus on cert mgmt instead of usage; doesn't violate same origin. ...
UNKNOWN_SPEAKER: Can revoke cert when not desired to use.
<jimsch> bryan, can you mute?
I believe I'm muted.
<rsleevi> :)
<arunranga> :-)
sangrae: When user wants to use cert, can issue request to CA; CA returns cert and UA sends notification to CA to use cert. ...
<trackbot> Sorry, rsleevi, I don't understand 'trackbot, pointer'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
sangrae: 3.6: First 3 methods to
request cert, plus generating and revoking methods. ...
... Currently working on API specs. ...
... will be ready for F2F.
Michael: What are we standardizing? Call to web-based CA? Or generic CA? Or supposed to standardize all CAs?
sangrae: Trying to standardize
all CAs.
... mainly focus on RFC 4210
... PKCS#10 req msgs
... more about UA being about to request from any CA using
those protocols.
Michael: UA communicates with all RFC 4210 CAs?
<hhalpin> Now in W3C space
<hhalpin> http://www.w3.org/2012/webcrypto/WebCertAPI/webcertapi.html
sangrae: Yes
<hhalpin> jim?
Jim: 3 different cert mgmt
protocols: CNC, CMP, PKCS10. Why choose to standardize
one?
... no mention of PKCS10 in doc.
sangrae: API will incorporate
PKCS10. In Korea, typically use CMP.
... anyone with knowledge of CNC; can incorporate. Still basic
API types: response and confirm.
<jimsch> rsleevi, Yes I did finally find it
<MichaelH> enum ReqType { // RFC 4210 Certificate Management Protocol. "cmp", // PKCS#10 type Certificate signing request. "pkcs10", };
Ryan: PKCS10 is referenced in
draft. Need to identify what capabilities are needed that
cannot be handled at the moment.
... can implement these protocols fully within JS.
... need to bring down to 1st principles. Take a look at work
products and identify features needed for use case.
<jimsch> +1 to making this in JavaScript for the current period of time
Ryan: to make progress, need the
problem space.
... don't understand the root set of problems that cannot be
addressed in JS.
... already apps that handle problem.
Sangrae: Trying to expand cert
request to cert mgmt.
... can handle issuing, updating, revoking.
<hhalpin> Here's one version of the banking use-case: http://www.w3.org/TR/2013/WD-webcrypto-usecases-20130108/#banking
Sangrae: PKCS#10 doesn't have mgmt protocol capabilities.
<hhalpin> That's why I referenced the earlier paragraph, as I think sangrae needs to go through
<hhalpin> and tighten his case, thta text seems to be a decent starting place
Sangrae: cert mgmt deals with public key pairs; cannot handle the keys in JS because it's insecure.
Ryan: Only discussing use case; need problem.
<hhalpin> Agree the use-case needs work, but I don't really understand the details of banking use-case
<hhalpin> it seems like they want a certficate management library
Ryan: how secure should keys
be?
... if wrote an app using current API, what are points that
cannot be used to write it?
... if no problems, need better documentation. If problems
exist, need to understand where.
Sangrae: Will provide problem statement.
Harry: Need more detail in
problem and why cannot use current API.
... is Sangrae going to make it to F2F?
Sangrae: Yes
<rsleevi> did we lose Michael?
Michael: Why is UA involved in process? What is it adding to the application?
Sangrae: In previous Korean
banking use cases, cert is used in web apps.
... if cert mgmt is in UA, then don't need extra plugins to
handle cert.
... currently causing security problem in Korea.
<arunranga> ACTION: Arun to bug-fix use cases document with removed banking use case. [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action01]
<trackbot> Created ACTION-116 - Bug-fix use cases document with removed banking use case. [on Arun Ranganathan - due 2013-10-21].
Sangrae: main reason for standardizing.
<jimsch> It is not clear to me if the problem is how to deal with certificates, or if the problem is how to deal with single origin
Harry: Need to revisit in
F2F.
... believe trying to fix same origin problem.
... want to keep working group running beyond current
charter?
... some groups that have ending point, some that continue to
put out new versions.
... Would people want to discuss the future?
... How do we close issues like set of algorithms?
<rsleevi> I'd like to see us not take on any *new* items until we get to actual shipping and site experience. I think it's unreasonable to suggest "This can't be done" until people have tried
<hhalpin> well, MS has started shipping :)
Israel: Instead of going indefinitely, set achievements for different versions.
<hhalpin> but agreed, however, we need to figure out how to close some open issues
<hhalpin> and either we put them in a "roadmap" document
<hhalpin> and close them
Israel: important to address certificates since people will be asking about them.
<hhalpin> or we say "we're likely to go on with a new charter"
Harry?: Can close this out in F2F.
Ryan: Charter extremely broad.
Like to close up, then can look at secondary
deliverables.
... Should focus on immediate deliverables and have threads for
side-issues.
... instead of indefinite group, use charter to prioritize
issues
... lots missing from problem statement, but prioritize broad
and narrow problems.
Harry: Going back to closing out
issues on current API, what needs to be closed before last
call?
... do you have time to close them out? Any discussion on
specific issues?
Ryan: Want to go into F2F with
issues closed. Some issues don't fit API.
... some issues: want more algorithms, need registry point for
some algorithms
Harry: Nice to close out Dan's issues before F2F.
<hhalpin> oct 28th?
Harry: on call of 28th.
<hhalpin> That call to close out all of Dan's 28th.
Ryan: All can be closed.
... just need to add some notes
<jimsch> rsleevi; +1 from my memory from the call that most of them could be closed out
Ryan: already supported or addressed, just need rewording.
Harry: If somebody doesn't understand, good indicator that web devs won't understand as well.
<hhalpin> Lot of it was informative notes
Ryan: Everything is questioning
choice of algorithms or wording; no action
... should data and key be separate?
... for something like encrypt, does not make appropriate
API.
... from API design point, proposal is incorrect; should
close
... that's the only issue that would require lots of
change.
... others: ECC: additional curves (could add additional
curves)
... no guarantees of entropy
... bigger problems than WebCrypto
... Overall, issues can be closed out, just need communication
to ensure they're being addressed.
Harry: Respond to original email?
Ryan: Will do.
<rsleevi> ACTION: rsleevi to respond to Dr. Boneh's issues email [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action02]
<trackbot> Created ACTION-117 - Respond to dr. boneh's issues email [on Ryan Sleevi - due 2013-10-21].
Harry: What issues should be addressed in F2F? Need a draft agenda.
Ryan: Put together finalized doc.
Should skip in favour of putting together new draft before F2F
to give enough time to review.
... people should have time to review before F2F
<hhalpin> I think the issues that need to be added are the draft solution re key wrapping
Ryan: need to get draft in final
review
... during implementation on Chrome side, issues brought
up
... need to understand Microsoft implementation
... any broad or concerning text?
<hhalpin> Anyone from Mozilla on phone?
Ryan: call or review? Prefer review.
Harry: Purpose of call to remind
to review.
... need to also request review from Mozilla
... anybody from Mozilla handling API?
<rsleevi> we can hear you
<hhalpin> ddahl has left Mozilla
Arun: Currently no implemention
since David left.
... won't be able to attend F2F
... can still review and interact with implementers
Israel: Trying to figure out how
promises maps to long-term strategy.
... when can implement it
... mapping to current spec
Harry: Main thing to do:
implementation experience section to walk through common
problems.
... like to get new version before F2F
... have people from W3C to do reviews after last call
... Graham Steel's group will be available
<MichaelH> What % of spec has been implemented so far?
Harry: any major open
issues?
... Promises is outside of WebCrypto scope.
Israelh: No objection, just
timeframe.
... when can bake it into platform
... need feedback on overall implementation before sending to
group
Harry: Anything else to cover in F2F?
Ryan: Have a number of members
representing non-UA.
... during review, instead of implementation concerns, like to
see members representing smart cards, etc. putting together
problem statements
... so we can merge interests to look for next steps.
<hhalpin> 2. Session on use-cases from non-implementers
Ryan: any common themes in problems
<hhalpin> ideally with problem statements/docs emailed out beforehand
Israel?: Great example is work that Netflix has done
scribe: Netlfix has real-world experience using API, so would be interesting to share that info
<rsleevi> +1 to Israel's comments
<MichaelH> Is Mark Watson going to F2F?
Harry: Will check on anybody from Netflix going.
<hhalpin> We're meeting for two days :)
Harry: 1st day: implementation concerns. 2nd day: problems missing solutions currently?
<MichaelH> How about Wednesday?
Ryan: Should interleave the issues to allow more discussion.
<arunranga> hhalpin, if possible, a dial-in for some of the sessions would be great if feasible.
<hhalpin> Wednesday will be quite busy with AC
Ryan: mixing would be productive and refreshing.
Harry: Challenge is to get use
cases emailed out ahead of time to form agenda.
... Will put a call out for putting forward the use cases.
Israel: Possible to have Netflix do a demo at EOD 1
<hhalpin> Netflix demo on day 1
Israel: for good example of how to use
Harry: Will send call out
... Time to close the call?
Michael: Hoping somebody else could contribute to key discovery implementation
<hhalpin> ACTION: hhalpin to send out call for use-cases for Crypto API [recorded in http://www.w3.org/2013/10/14-crypto-minutes.html#action03]
<trackbot> Created ACTION-118 - Send out call for use-cases for crypto api [on Harry Halpin - due 2013-10-21].
Michael: over email is fine
IsraelH: Anybody from Brazil involved in key management?
Harry: W3C office in Brazil, but not sure what's going on
Israel: Will do more research to find specific person
Harry: Can send the email, just need to know to whom.
<hhalpin> trackbot, end meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/[missed name]/sangrae/ Succeeded: s/Arun/Israelh/ Succeeded: s/[unknown]/IsraelH/ No ScribeNick specified. Guessing ScribeNick: bryaneyler Inferring Scribes: bryaneyler Default Present: +90533302aaaa, mete, hhalpin, Michael_Hutchinson, JYates, arunranga, bryaneyler, +1.650.214.aabb, nvdbleek, sangrae, [Microsoft], karen_oDonoghue Present: +90533302aaaa mete hhalpin Michael_Hutchinson JYates arunranga bryaneyler +1.650.214.aabb nvdbleek sangrae [Microsoft] karen_oDonoghue WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 14 Oct 2013 Guessing minutes URL: http://www.w3.org/2013/10/14-crypto-minutes.html People with action items: arun hhalpin rsleevi[End of scribe.perl diagnostic output]