W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Thu, 23 Apr 2009 08:20:18 -0400
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "marcosc@opera.com" <marcosc@opera.com>, "Priestley, Mark, VF-Group" <Mark.Priestley@Vodafone.com>, Web Applications Working Group WG <public-webapps@w3.org>, "Babbage, Steve, VF-Group" <Steve.Babbage@Vodafone.com>
Message-Id: <B1EB51D8-762A-43FC-A5EF-E30DDF3F254C@nokia.com>
To: ext David Rogers <david.rogers@omtp.org>
I agree .  Also to be clear Mark, I believe you are saying VF supports  
a MUST in the XML Signature 1.1 specification.

regards, Frederick

Frederick Hirsch

On Apr 23, 2009, at 8:15 AM, ext David Rogers wrote:

> Marcos,
> Surely the logic should support algorithm evolution in that way. If  
> it is a SHOULD it doesn't mean that engines need to support all  
> algorithms - that would be a SHALL? If we say nothing at all, you  
> run the risk of dropping off a security cliff if you need to migrate  
> in the future. A SHOULD at least prescribes an intended roadmap and  
> gives the option for implementers to go for that if they so choose.
> Thanks,
> David.
> -----Original Message-----
> From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org 
> ] On Behalf Of Marcos Caceres
> Sent: 23 April 2009 08:53
> To: Priestley, Mark, VF-Group
> Cc: Frederick Hirsch; Web Applications Working Group WG; Babbage,  
> Steve, VF-Group
> Subject: Re: [widget-digsig] Pls review: Additional considerations  
> on elliptic curve algorithms to consider
> On Thu, Apr 23, 2009 at 9:31 AM, Priestley, Mark, VF-Group
> <Mark.Priestley@vodafone.com> wrote:
>> Hi Frederick, All,
>> Vodafone supports the move to support ECDSA in XML Signature 1.1  
>> [2] and
>> welcomes the new clarifying text. Vodafone will not object to
>> ECDSAwithSHA256 being specified as mandatory [2] however we would  
>> like
>> to propose that it is a recommended algorithm in Widgets 1.0: Digital
>> Signatures [5] (e.g. a SHOULD).
> Sorry, it doesn't make sense to have them as a "should" in this
> context. Either they are in or out because in practice engines will
> need to support all prescribed algorithms. Lets keep to the smallest
> possible subset of most commonly used algorithms in 1.0; every
> algorithm we add makes this specification more difficult/expensive to
> implement, adds more points of failure, etc. If the market shifts to
> new algorithms, then we can add those later in a new draft.
> Kind regards,
> Marcos
> -- 
> Marcos Caceres
> http://datadriven.com.au
Received on Thursday, 23 April 2009 12:21:31 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:16 UTC