RE: [widgets] Digital Signatures questions for discussion from Priestley, Mark, VF-Group on 2008-12-18 (public-webapps@w3.org from October to December 2008)

From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
Date: Thu, 18 Dec 2008 14:03:53 +0100
To: "David Rogers" <david.rogers@omtp.org>, <public-webapps@w3.org>
Cc: "Frederick Hirsch" <frederick.hirsch@nokia.com>, "Thomas Roessler" <tlr@w3.org>
Message-ID: <0BE18111593D8A419BE79891F6C46909025D5566@EITO-MBX01.internal.vodafone.com>

Hi All,
 
Marcos, Frederick and I met with Thomas at the recent W3C Security
workshop and were able to answer the questions that I had put forward
following the face-to-face discussion with the XML Security working
group in Mandelieu. 
 
In short we agreed:
 
1. DSA-SHA256 will be specified as a second mandatory Signature
Algorithm. The XML Security working group will specify the necessary URI
as this is currently not available. 
 
2. The Widgets 1.0: Digital Signature specification will mandate the use
of a Usage element (in place of the profile element). This will allow
signatures to be created that can be used for different purposes with
different processing requirements. Exact details to be worked out.
 
3. The Widgets 1.0: Digital Signatures specification will support the
use of a Timestamp element. This will allow the signature to have a
shorter lifetime than the certificate associated to it. The timestamp
need not be generated by a trusted time stamp authority - it will only
be valid provided that the certificates associated to the signature are
also still valid (not expired or revoked)  
 
4. The Usage and Timestamp elements will be specified in a separate
specification so that they can be used by other specifications based on
XML DigSig. Frederick has drafted an initial proposal at
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/
 
Thomas/Marcos/Frederick - please feel free to correct or add to the
above.
 
Comments and questions welcomed.
 
Thanks,
 
Mark
 
 
 
 
 


________________________________

	From: public-webapps-request@w3.org
[mailto:public-webapps-request@w3.org] On Behalf Of David Rogers
	Sent: 14 November 2008 15:59
	To: public-webapps@w3.org
	Subject: [widgets] Digital Signatures questions for discussion
	
	

	Dear all,

	 

	In Mark Priestley's absence, he has asked me to forward these
questions for discussion within WebApps, with the intention of this
group submitting  to the XML Digital Signatures group. These questions
are in response to the discussions at TPAC:

	 

	1. While it is recognised that there is a broad move to elliptic
curve techniques, please can you provide an explanation for your
recommendation that DSA should not be supported even with 2048 bit keys?


	 

	Note: We are aware that there is no published specification
describing the use of DSA with key lengths over 1024 but there is a NIST
draft[1] (publication process due to start before the end of the year).
It has also been noted that there are concerns around licensing on
elliptic curve technologies. 

	 

	2. Please can you explain in more detail how you would propose
to use the profile element?

	 

	3. Similarly, please can you explain how the addition of the
timestamp would help with the revocation process? We assume that you
require the timestamp to come from a Trusted Timestamp Authority

	 

	[1]
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_
March2006.pdf 

	 

	 

	Thanks,

	 

	 

	David.

	 

	David Rogers
	OMTP Director of External Relations

Received on Thursday, 18 December 2008 13:04:54 UTC