W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2008

RE: Algorithms draft posted

From: Brian LaMacchia <bal@exchange.microsoft.com>
Date: Mon, 1 Dec 2008 09:38:44 -0800
To: Frederick Hirsch <frederick.hirsch@nokia.com>, Kelvin Yiu <kelviny@exchange.microsoft.com>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <7684468BFDC4704884E4688E5CD1050581E2748BE9@df-whippet-msg.exchange.corp.microsoft.com>

Well, personally, I'd suggest we change DSAwithSHA1 to Optional, because as originally defined the max DSS key size was 1024 bits with a 160-bit subgroup, which is too small.  (I think the most recent FIPS for DSS increased this, but since the RSA patent expired I haven't seen any serious demand for DSS beyond check-box compliance.) 

Anyone see a problem with moving DSAwithSHA1 from Required in 1.0 to Optional in 1.1?


-----Original Message-----
From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Frederick Hirsch
Sent: Monday, December 01, 2008 8:08 AM
To: Kelvin Yiu
Cc: XMLSec WG Public List; Frederick Hirsch
Subject: Re: Algorithms draft posted

Thanks for updating the algorithms draft Kelvin.

One question -  Did you mean to leave DSAwithSHA1 required?

Required DSAwithSHA1 (DSS)
http://www.w3.org/2000/09/xmldsig# dsa-sha1

or to make it optional (in section 6.1)?

Does earlier text in 4.4.2 suggest that it is no longer required?   
(The change in patent status for RSA since the original XML Signature  
draft could imply a change in this requirement)

regards, Frederick

Frederick Hirsch

On Nov 21, 2008, at 4:26 PM, Frederick Hirsch wrote:

> Kelvin has made an update to the 1.1 algorithms draft, and has also  
> produced a red-line.
> I also suggested a change to the file names so the URLs have changed  
> (sorry):
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/xmldsig-ecc.xsd
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview_diff.htm
> Thanks very much to Kelvin for completing this quickly.
> All - please review before the next call.
> regards, Frederick
> Frederick Hirsch, Nokia
> Chair XML Security WG
> On Nov 17, 2008, at 6:55 PM, ext Kelvin Yiu wrote:
>> FYI I have posted a working draft that incorporates new algorithms  
>> (ECDSA and SHA2) into XMLDSIG. The URLs are not publicly visible  
>> yet and Thomas and Frederick are helping with setting ACLs.
>>  http://www.w3.org/2008/xmlsec/Drafts/xmldsig/XML Signature Syntax  
>> and Processing 1.1 draft.htm
>>  http://www.w3.org/2008/xmlsec/Drafts/xmldsig/xmldsig-core-schema  
>> 1.1.xsd
>> Here is a summary of the changes:
>> 1.  Added a new ECKeyValue element to represent ECC public keys.  
>> The new element is in the ds namespace, but there is a  
>> recommendation to support a small profile of the ECDSAKeyValue  
>> element with named curves in RFC 4050.
>> 2.  Restructured the ExplicitParams element in 4050 to align with  
>> the ASN.1 equivalent definition in ANSI X9.62 and RFC 3279.
>> 3.  Added SHA256, SHA384 and SHA512 to list of digest, signature  
>> and MAC algorithms.
>> 4.  RSA-SHA256 and ECDSA-SHA256 are now REQUIRED
>> 5.  Added a bunch of new references but not done yet.
>> Kelvin
Received on Monday, 1 December 2008 17:39:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:10 UTC