ACTION-112: Draft text on DSA issues for 1.1

Per ACTION-112, here is draft text for security considerations around use of the DSA algorithm and recommended key sizes.

                                                                                --bal

Proposed XML Signature 1.1 Language for DSAwithSHA1 (DSS)

In Section 6.1 ("Algorithm Identifiers and Implementation Requirements"), change Signature item 1 to read:


1.       REQUIRED for signature verification/OPTIONAL for signature generation DSAwithSHA1 (DSS)
http://www.w3.org/2000/09/xmldsig#dsa-sha1
Add the following security notice to the end of Section 6.4.1 ("DSA"):

Security considerations regarding DSA key sizes: Implementers of XML Signature 1.1 should be aware that as of the time of publication the permitted parameter sizes for DSA are too small to be used for long-term signatures.  Per FIPS 186-2 Change Notice 1, the DSA security parameter L is defined to be exactly 1024 and the corresponding DSA prime modulus p is defined to be in the interval 2^1023 < p < 2^1024.  However, in Special Publication SP 800-57, NIST recommends using at least at 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). (A forthcoming revision to FIPS 186 (FIPS 186-3) will allow DSA to be used with longer prime moduli and the SHA-256/SHA-384/SHA-512 hash functions.)

Since XML Signature 1.0 required implementations to support DSA-based digital signatures, this XML Signature 1.1 revision REQUIRES signature verifiers to implement DSA in order to guarantee interoperability with XML Signature 1.0 generators.   XML Signature 1.1 implementations MAY but are NOT REQUIRED to support DSA-based signature generation, and given the short key size and the SP800-57 guidelines we do not recommend use of DSA as currently limited to 1024-bit prime moduli for signatures that will be verified beyond 2010.