W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2011

Re: [widgets] How to divorce widgets-digsig from Elliptic Curve PAG?

From: Arthur Barstow <art.barstow@nokia.com>
Date: Fri, 16 Dec 2011 07:51:47 -0500
Message-ID: <4EEB3EE3.1000900@nokia.com>
To: ext Brian LaMacchia <bal@microsoft.com>
CC: Thomas Roessler <tlr@w3.org>, Philippe Le Hegaret <plh@w3.org>, Frederick Hirsch <frederick.hirsch@nokia.com>, Marcos Caceres <marcosscaceres@gmail.com>, Doug Schepers <schepers@w3.org>, Rigo Wenning <rigo@w3.org>, public-webapps <public-webapps@w3.org>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>, Magnus Nystrom <mnystrom@microsoft.com>
On 12/15/11 11:51 AM, ext Brian LaMacchia wrote:
> Hello all,
>
> Sorry for coming to this thread late (I'm on vacation) but I want to comment on a number of points raised during this thread:
>
> 1) Concerning the suggestion to move ECDSA out of XMLDSIG 1.1, that suggestion is a non-starter for XMLDSIG.  One of the main motivations for XMLDSIG 1.1 is to update the spec to support Suite B cryptography, and that means ECDSA support has to be there.  Delaying ECC is not a viable option for XMLDSIG.

And further delaying widgets-digsig while waiting for money to fall from 
the sky doesn't seem like a particularly viable option either.

(I don't understand the violent opposition for an additional version of 
XMLSig that includes everything in XMLSig1.1 CR minus the ECC refs nor 
why the specs aren't crafted such that the syntax and algorithms are in 
separate specs.)

> 2) I do not understand the comments that Widget-DSig is independent of ECC.  As far as I can tell from reading the spec, while  Widget-Dsig makes certain recommendations about algorithms and key sizes legally Widget-DSig has to work with any XMLDSIG 1.1 mandatory-to-implement option.  That is, Widget-DSig does not *profile* XMLDSIG 1.1 but simply says "use XMLDSIG 1.1".  Since ECDSA-SHA256 is a mandatory-to-implement signature algorithm in XMLDSIG 1.1, every Widget-DSig implementation would have to support it (it would be violating the XMLDSIG 1.1 spec otherwise).

One view here is that ECC is XMLSig's direct problem. XMLSig should be 
responsible for testing ECC - not widgets-digsig. An analogy is HTML5 
and CSS2.1: HTML5 normatively references CSS2.1 but there is no 
expectation the HTML5's test suite will test every assertion in CSS2.1. 
I think this applies with widgets-digsig and XMLSig and in this view, 
they are "independent".

-AB
Received on Friday, 16 December 2011 12:52:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 16 December 2011 12:52:11 GMT