W3C home > Mailing lists > Public > public-xmlsec@w3.org > August 2012

Re: XML Signature 1.1 items at risk (removal)

From: Cantor, Scott <cantor.2@osu.edu>
Date: Tue, 7 Aug 2012 01:42:56 +0000
To: "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <BA63CEAE152A7742B854C678D949138330A6A8DB@CIO-KRC-D1MBX01.osuad.osu.edu>
On 8/6/12 9:33 PM, "Frederick.Hirsch@nokia.com"
<Frederick.Hirsch@nokia.com> wrote:
>(1) SHA-224 related algorithms: ECDSA-SHA224, HMAC-SHA224, RSAwithSHA224

By end of month I can produce a vector for these, or at least the public
key ones, or verify somebody else's if they have one.

>(2) KeyInfo X509Data items: OCSPResponse, X509Digest (1 implementation
>Apache Santuario)
>(3) KeyInfo items: DEREncodedKeyValue (1 implementation Apache
>Santuario), KeyInfoReference (1 implementation Apache Santuario)

The KeyInfoReference implementation is OpenSAML from the Shibboleth
project, rather than Santuario. It doesn't fit into the Santuario code
base as a useful feature.

You can add OpenSAML to the DEREncodedKeyValue set also.

As we discussed last call, I'm the author in both projects.

Note that if you pull X509Digest, we're back to having a broken
X509IssuerSerial as the alternative because people objected to fixing the

>(4) HMACOutputLength

If there's an existing vector for this that used to be allowed but should
now fail, can somebody identify it?

-- Scott
Received on Tuesday, 7 August 2012 01:50:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:18 UTC