W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2008

Digital Signatures use in widgets

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 18 Dec 2008 08:07:00 -0500
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <0A9F799A-A879-4FD5-B6FB-EF510B25BAEE@nokia.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>
fyi

regards, Frederick

Frederick Hirsch
Nokia



Begin forwarded message:

> From: "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
> Date: December 18, 2008 8:03:53 AM EST
> To: "David Rogers" <david.rogers@omtp.org>, <public-webapps@w3.org>
> Cc: "Frederick Hirsch" <frederick.hirsch@nokia.com>, "Thomas  
> Roessler" <tlr@w3.org>
> Subject: RE: [widgets] Digital Signatures questions for discussion
>
> Hi All,
>
> Marcos, Frederick and I met with Thomas at the recent W3C Security  
> workshop and were able to answer the questions that I had put  
> forward following the face-to-face discussion with the XML Security  
> working group in Mandelieu.
>
> In short we agreed:
>
> 1. DSA-SHA256 will be specified as a second mandatory Signature  
> Algorithm. The XML Security working group will specify the necessary  
> URI as this is currently not available.
>
> 2. The Widgets 1.0: Digital Signature specification will mandate the  
> use of a Usage element (in place of the profile element). This will  
> allow signatures to be created that can be used for different  
> purposes with different processing requirements. Exact details to be  
> worked out.
>
> 3. The Widgets 1.0: Digital Signatures specification will support  
> the use of a Timestamp element. This will allow the signature to  
> have a shorter lifetime than the certificate associated to it. The  
> timestamp need not be generated by a trusted time stamp authority -  
> it will only be valid provided that the certificates associated to  
> the signature are also still valid (not expired or revoked)
>
> 4. The Usage and Timestamp elements will be specified in a separate  
> specification so that they can be used by other specifications based  
> on XML DigSig. Frederick has drafted an initial proposal at http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/
>
> Thomas/Marcos/Frederick - please feel free to correct or add to the  
> above.
>
> Comments and questions welcomed.
>
> Thanks,
>
> Mark
>
>
>
>
>
>
> From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org 
> ] On Behalf Of David Rogers
> Sent: 14 November 2008 15:59
> To: public-webapps@w3.org
> Subject: [widgets] Digital Signatures questions for discussion
>
> Dear all,
>
> In Mark Priestley’s absence, he has asked me to forward these  
> questions for discussion within WebApps, with the intention of this  
> group submitting  to the XML Digital Signatures group. These  
> questions are in response to the discussions at TPAC:
>
> 1. While it is recognised that there is a broad move to elliptic  
> curve techniques, please can you provide an explanation for your  
> recommendation that DSA should not be supported even with 2048 bit  
> keys?
>
> Note: We are aware that there is no published specification  
> describing the use of DSA with key lengths over 1024 but there is a  
> NIST draft[1] (publication process due to start before the end of  
> the year). It has also been noted that there are concerns around  
> licensing on elliptic curve technologies.
>
> 2. Please can you explain in more detail how you would propose to  
> use the profile element?
>
> 3. Similarly, please can you explain how the addition of the  
> timestamp would help with the revocation process? We assume that you  
> require the timestamp to come from a Trusted Timestamp Authority
>
> [1] http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf
>
>
> Thanks,
>
>
> David.
>
> David Rogers
> OMTP Director of External Relations
Received on Thursday, 18 December 2008 13:07:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT