W3C home > Mailing lists > Public > public-xmlsec@w3.org > June 2009

SHA1 based signature algorithms in XML Signature 1.1

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 9 Jun 2009 12:51:13 +0200
Message-Id: <FCF1F175-43B0-4DE1-8C31-0FA8D97BB637@w3.org>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Looking through the algorithms table in the editor's draft:

   http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/#sec-AlgID

... I notice that we have ample warning in the section on digest  
algorithms, but less (and different) in the section on signature  
algorithms.

Specifically:

1. HMAC-SHA1 is mandatory to implement, but discouraged to use.
2. DSA-SHA1 is mandatory to implement for verification, and optional  
for signature generation.
3. We do not give any admonishment for RSA-SHA1 (which remains  
recommended),  and for the optional ECDSA-SHA1.

Thoughts?
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 9 June 2009 10:51:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:58 GMT