RE: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

Marcos,

Surely the logic should support algorithm evolution in that way. If it is a SHOULD it doesn't mean that engines need to support all algorithms - that would be a SHALL? If we say nothing at all, you run the risk of dropping off a security cliff if you need to migrate in the future. A SHOULD at least prescribes an intended roadmap and gives the option for implementers to go for that if they so choose.

Thanks,

David.

-----Original Message-----
From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org] On Behalf Of Marcos Caceres
Sent: 23 April 2009 08:53
To: Priestley, Mark, VF-Group
Cc: Frederick Hirsch; Web Applications Working Group WG; Babbage, Steve, VF-Group
Subject: Re: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

On Thu, Apr 23, 2009 at 9:31 AM, Priestley, Mark, VF-Group
<Mark.Priestley@vodafone.com> wrote:
> Hi Frederick, All,
>
> Vodafone supports the move to support ECDSA in XML Signature 1.1 [2] and
> welcomes the new clarifying text. Vodafone will not object to
> ECDSAwithSHA256 being specified as mandatory [2] however we would like
> to propose that it is a recommended algorithm in Widgets 1.0: Digital
> Signatures [5] (e.g. a SHOULD).

Sorry, it doesn't make sense to have them as a "should" in this
context. Either they are in or out because in practice engines will
need to support all prescribed algorithms. Lets keep to the smallest
possible subset of most commonly used algorithms in 1.0; every
algorithm we add makes this specification more difficult/expensive to
implement, adds more points of failure, etc. If the market shifts to
new algorithms, then we can add those later in a new draft.

Kind regards,
Marcos
-- 
Marcos Caceres
http://datadriven.com.au

Received on Thursday, 23 April 2009 12:16:53 UTC