W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

Re: ECDSA, "plain" vs "non-plain"

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Thu, 07 May 2009 13:24:01 +0200
Message-ID: <4A02C4D1.9030605@iaik.tugraz.at>
To: Thomas Roessler <tlr@w3.org>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
Thomas Roessler schrieb:
> we actually *don't* use the ASN.1 sequence, in other words, we're
> going for the "plain" alternative anyway.
Rigth in XMLDSIG all DSA, ECDSA variants concatenate (r||s) and base64
encode it, there is no ASN.1 encoding here.
> That, to me, suggests that we only coin identifiers for the "plain"
> variants of ECDSA-RIPEMD160 (and -whirlpool),

Okay, maybe it's best to ignore the BSI variants and only specify:

URI:
http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160
Specification:
#ecdsa-ripemd160 identifies a signature method processed in the same way as specified by the #ecdsa-sha1 with the exception that RIPEMD160 is used instead of SHA-1.

URI:
http://www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool
Specification:
#ecdsa-whirlpool fragment identifies a signature method processed in the same way as specified by the #ecdsa-sha512 fragment with the exception that WHIRLPOOL is used instead of SHA-512.

URI:
http://www.w3.org/2007/05/xmldsig-more#rsa-whirlpool
Specification:
#rsa-whirlpool fragment identifies a signature method processed in the same way as specified by the #rsa-sha512 fragment with the exception that WHIRLPOOL is used instead of SHA-512


This is possible in such brevity, because they are in line with what is currently specified in XMLDSIG so that's all the text needed.


> and dont bother with the non-plain ones.

If we would bother however ...

The problem is that the BSI calls their variant "plain" although it's
distinct only by the fact that _the hash value is modulo reduced as
opposed to truncated_ (latter as in XMLDSIG, resp. fips-186-2 /
fips-186-3 draft rep. X9.62).
So the BSI variant (which they call "plain", should have better call it
"not-truncated-hash" or so) is not compatible with X9.62 .

For the BSI variant (if we want to cover it) one could write
"-non-trunc" instead of "-plain" as this emphasizes the real difference.

http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160-non-trunc

http://www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool-non-trunc

URI:
http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160-non-trunc

Specified in:
German BSI Technical Guideline TR-03111
<http://www.bsi.bund.de/literat/tr/tr03111/BSI-TR-03111.pdf#page=27>

Note: #ecdsa-ripemd160-non-trunc identifies a signature method processed
in the same way as specified by the #ecdsa-ripemd160 fragment. If
however the hash length is larger than the domain parameter length the
hash is not truncated like in X9.62; rather it is reduced modulo n, the
order of the base point G.


URI:
http://www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool-non-trunc

Specified in:
German BSI Technical Guideline TR-03111
<http://www.bsi.bund.de/literat/tr/tr03111/BSI-TR-03111.pdf#page=27>
cf. ecdsa-with-Specified where "Specified" is WHIRLPOOL.

The #ecdsa-whirlpool-non-trunc fragment identifies a signature method
processed in the same way as specified by the #ecdsa-whirlpool fragment.
If  however the hash length is larger than the domain parameter length
the hash is not truncated like in X9.62; rather it is reduced modulo n,
the order of the base point G.

best regards
Konrad

-- 
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520
http://www.iaik.tugraz.at/content/about_iaik/people/lanz_konrad/
http://jce.iaik.tugraz.at/sic/products/xml_security

Downlaod certificate chain (including the EuroPKI root certificate):
http://ca.iaik.tugraz.at/capso/certs.jsp



Received on Thursday, 7 May 2009 11:24:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:58 GMT