W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2011

Re: [widgets] How to divorce widgets-digsig from Elliptic Curve PAG?

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 14 Dec 2011 19:07:05 +0000
To: <Frederick.Hirsch@nokia.com>
CC: <Art.Barstow@nokia.com>, <tlr@w3.org>, <marcosscaceres@gmail.com>, <schepers@w3.org>, <plh@w3.org>, <rigo@w3.org>, <public-webapps@w3.org>, <public-xmlsec@w3.org>
Message-ID: <13C0DC9E-E639-4A21-A21E-5EB760DF7CFD@nokia.com>
oops, wrong explain, instead see http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/explain.html 6.1, 6.2*, 6.3.1, 6.4.2 (e.g. move away from SHA-1)

regards, Frederick

Frederick Hirsch
Nokia



On Dec 14, 2011, at 2:00 PM, Hirsch Frederick (Nokia-CIC/Boston) wrote:

> Art
> 
> I think switching the dependency to XML Signature 1.0 is a bad idea, noting that 1.1 has fixed errors, and addressed security vulnerabilities, including updates to algorithms (other than ecc) to address known weaknesses.
> 
> details in http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/explain.html, 5.1, 5.5.1, 5.8, 6.6-6.8
> 
> I think the W3 team is actively working on the PAG issue but have no idea when we will see the result - one hope was before year end. 
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
> 
> On Dec 13, 2011, at 1:14 PM, Arthur Barstow wrote:
> 
>> Hi All,
>> 
>> The Widgets DigSig spec [W-DigSig] has been sitting in PR for over 4 months now, blocked on the Elliptic Curve PAG [ECC-PAG]. AFAICT, this PAG has just started its unspecified length Fishing Expedition seeking some unspecified level of funds to pay for some type of analysis that will take some unknown amount of time to complete ...
>> 
>> Given this, and not wanting to block on the ECC PAG any longer, what are the options to move widgets-digsig to REC ASAP?
>> 
>> Some options:
>> 
>> 1. Replace [XMLSig1.1] dependency with XMLSig 1.0. I presume this would require a new 3-week LC but the CR could be zero-length, presumably no re-testing would be required, and the only thing blocking PR->REC is the length of the new CfE that would be needed.
>> 
>> 2. Move the tainted algorithm(s) in XMLSig1.1 to XMLSig1.Next so XMLSig1.1 is not affected by the PAG and XMLSig1.1 can then continue on the REC track.
>> 
>> 3. Others?
>> 
>> (#2 seems dead simple so I'm probably missing some things.)
>> 
>> -AB
>> 
>> [W-DigSig] http://www.w3.org/TR/widgets-digsig/
>> [XMLSig1.1] http://www.w3.org/TR/xmldsig-core1/
>> [ECC-PAG] http://www.w3.org/2011/02/xmlsec-pag-charter.html
>> 
> 
Received on Wednesday, 14 December 2011 19:10:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 December 2011 19:10:32 GMT