W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [widgets] How to divorce widgets-digsig from Elliptic Curve PAG?

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Wed, 14 Dec 2011 19:12:02 +0000
To: Philippe Le Hegaret <plh@w3.org>
Cc: Arthur Barstow <art.barstow@nokia.com>, Frederick Hirsch <frederick.hirsch@nokia.com>, Thomas Roessler <tlr@w3.org>, Doug Schepers <schepers@w3.org>, Rigo Wenning <rigo@w3.org>, public-webapps <public-webapps@w3.org>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <223A88B9B4834B7394AB9BB5AC0CD3A3@gmail.com>

On Tuesday, December 13, 2011 at 9:14 PM, Philippe Le Hegaret wrote:

> On Tue, 2011-12-13 at 13:14 -0500, Arthur Barstow wrote:
> An other one was for the Director to decide to move the document forward
> anyway because W-DigSig doesn't depend on ECC.
> Thomas, any suggestion?

I personally think this is the route of least pain. Widgets Dig Sig just says to do whatever XML Dig Sigs says to do, and it has no explicit dependency on ECC. Furthermore, no widget engine supports ECC to my knowledge and no content has been signed with ECC to my knowledge. Using ECC is certainly not something that is explicitly recommended in Widgets Dig Sig: 

The recommended signature algorithm is RSA using the RSAwithSHA256 signature identifier: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
The recommended key lengths are: 4096 bits for RSA.
The recommended digest method is SHA-256.
The recommended canonicalization algorithm is Canonical XML Version 1.1 (omits comments). 
The recommended certificate format is X.509 version 3 as specified in [RFC5280]. 
Received on Wednesday, 14 December 2011 19:12:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:37 UTC