RE: ACTION 515: Propose schema addition for ISSUE-186

> I think there should at least be an informal reference to the PKCS #5
> v2.0 Amd.1 document since it does give the reader more background on the
> constructs and is the source of the XML schema herein.
>-- Magnus

I agree. I've reworded the first paragraph thus:

--------------------------------------------------------------------------------
  The PBKDF2 key derivation algorithm and the ASN.1 type definitions for
  its parameters are defined in PKCS #5v2.0 [PKCS5]. The XML schema
  definitions for the parameters is defined in [PKCS5Amd1] and the same can
  be specified by enclosing them within an xmlenc11:PBKDF2-params child
  element of the xmlenc11:KeyDerivationMethod element.

[PKCS5Amd1]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5Amd1
--------------------------------------------------------------------------------

Does this look good?

thanks,
--
ajd.


-----Original Message-----
From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On 
Behalf Of Magnus Nystrom
Sent: Thursday, February 25, 2010 10:05 PM
To: D'Souza, Aldrin; public-xmlsec@w3.org
Subject: RE: ACTION 515: Propose schema addition for ISSUE-186



> -----Original Message-----
> From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org]
> On Behalf Of aldrin.dsouza@rsa.com
> Sent: Wednesday, February 24, 2010 10:31 PM
> To: public-xmlsec@w3.org
> Subject: ACTION 515: Propose schema addition for ISSUE-186
>
> Here's the proposed text for section 5.4.2 of XML Encryption 1.1. As
> discussed, I've removed the reference to the PKCS#5 schema amendment
> document
> and copied the schema definitions (as defined there) inline. Please review.
>
> --------------------------------------------------------------------------------
> 5.4.2 PBKDF2
>
>   Identifier:
> 	http://www.w3.org/2010/xmlenc11#pbkdf2 (OPTIONAL)
>
>   The PBKDF2 key derivation algorithm and the ASN.1 type definitions for
>   its parameters are defined in PKCS #5v2.0 [PKCS5]. The algorithm 
> parameters
>   can be specified by enclosing them within an xmlenc11:PBKDF2-params child
>   element of the xmlenc11:KeyDerivationMethod element.
>
> Schema Definition:
>
>   <element name="PBKDF2-params" type="xmlenc11:PBKDF2ParameterType"/>
>
>   <complexType name="AlgorithmIdentifierType">
>     <sequence>
>       <element name="Parameters" minOccurs="0"/>
>     </sequence>
>     <attribute name="Algorithm"/>
>   </complexType>
>
>   <complexType name="PRFAlgorithmIdentifierType">
>     <complexContent>
>       <restriction base="AlgorithmIdentifierType">
>         <attribute name="Algorithm" type="anyURI"
> default="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
>       </restriction>
>     </complexContent>
>   </complexType>
>
>   <complexType name="PBKDF2ParameterType">
>     <sequence>
>       <element name="Salt">
>         <complexType>
>           <choice>
>             <element name="Specified" type="base64Binary"/>
>             <element name="OtherSource"
> type="xmlenc11:AlgorithmIdentifierType"/>
>           </choice>
>         </complexType>
>       </element>
>       <element name="IterationCount" type="positiveInteger"/>
>       <element name="KeyLength" type="positiveInteger"/>
>       <element name="PRF" type="xmlenc11:PRFAlgorithmIdentifierType"/>
>     </sequence>
>   </complexType>
>
>   The PBKDF2-params element and its child elements have the same names and
>   meaning as the corresponding components of the PBKDF2-params ASN.1 type
>   in [PKCS5].
>
>   The AlgorithmIdentifierType corresponds to the AlgorithmIdentifier type
>   of [PKCS5] and carries the algorithm identifier in the Algorithm
>   attribute. Algorithm specific parameters, where applicable, can be
>   specified using the Parameters element.
>
>   The PRFAlgorithmIdentifierType is derived from the
>   AlgorithmIdentifierType and constrains the choice of algorithms to those
>   contained in the PBKDF2-PRFs set defined in [PKCS5]. This type is used to
>   specify a pseudorandom function for PBKDF2 and the default PRF algorithm
>   (HMAC-SHA1) is the same as in [PKCS5]. It is RECOMMENDED to use
>   HMAC-SHA256 as the PRF algorithm (see [XML-DSIG], [HMAC]).
>
>   An example of an xmlenc11:DerivedKey element with this key derivation
>   algorithm is:
>
>   <xenc11:DerivedKey
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>     xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
>     <xenc11:KeyDerivationMethod
> Algorithm="http://www.w3.org/2010/xmlenc11#pbkdf2">
>       <xenc11:PBKDF2-params>
>         <xenc11:Salt>
>           <xenc11:Specified>Df3dRAhjGh8=</xenc11:Specified>
>         </xenc11:Salt>
>         <xenc11:IterationCount>2000</xenc11:IterationCount>
>         <xenc11:KeyLength>16</xenc11:KeyLength>
>         <xenc11:PRF
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
>       </xenc11:PBKDF2-params>
>     </xenc11:KeyDerivationMethod>
>     <xenc:ReferenceList>
>       <xenc:DataReference URI="#ED"/>
>     </xenc:ReferenceList>
>     <xenc11:MasterKeyName>Our shared secret</xenc11:MasterKeyName>
>   </xenc11:DerivedKey>
>
> References:
>
>   [PKCS5]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5
>   [XML-DSIG]: http://www.w3.org/TR/xmlenc-core1/#ref-XML-DSIG
>   [HMAC]: http://www.w3.org/TR/xmlenc-core1/#ref-HMAC
> --------------------------------------------------------------------------------
>
> thanks,
> --
> ajd.
>

Received on Sunday, 28 February 2010 11:45:49 UTC