Re: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider from Frederick Hirsch on 2009-04-23 (public-webapps@w3.org from April to June 2009)

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Thu, 23 Apr 2009 08:20:18 -0400
To: ext David Rogers <david.rogers@omtp.org>
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "marcosc@opera.com" <marcosc@opera.com>, "Priestley, Mark, VF-Group" <Mark.Priestley@Vodafone.com>, Web Applications Working Group WG <public-webapps@w3.org>, "Babbage, Steve, VF-Group" <Steve.Babbage@Vodafone.com>
Message-Id: <B1EB51D8-762A-43FC-A5EF-E30DDF3F254C@nokia.com>

I agree .  Also to be clear Mark, I believe you are saying VF supports  
a MUST in the XML Signature 1.1 specification.

regards, Frederick

Frederick Hirsch
Nokia



On Apr 23, 2009, at 8:15 AM, ext David Rogers wrote:

> Marcos,
>
> Surely the logic should support algorithm evolution in that way. If  
> it is a SHOULD it doesn't mean that engines need to support all  
> algorithms - that would be a SHALL? If we say nothing at all, you  
> run the risk of dropping off a security cliff if you need to migrate  
> in the future. A SHOULD at least prescribes an intended roadmap and  
> gives the option for implementers to go for that if they so choose.
>
> Thanks,
>
> David.
>
> -----Original Message-----
> From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org 
> ] On Behalf Of Marcos Caceres
> Sent: 23 April 2009 08:53
> To: Priestley, Mark, VF-Group
> Cc: Frederick Hirsch; Web Applications Working Group WG; Babbage,  
> Steve, VF-Group
> Subject: Re: [widget-digsig] Pls review: Additional considerations  
> on elliptic curve algorithms to consider
>
> On Thu, Apr 23, 2009 at 9:31 AM, Priestley, Mark, VF-Group
> <Mark.Priestley@vodafone.com> wrote:
>> Hi Frederick, All,
>>
>> Vodafone supports the move to support ECDSA in XML Signature 1.1  
>> [2] and
>> welcomes the new clarifying text. Vodafone will not object to
>> ECDSAwithSHA256 being specified as mandatory [2] however we would  
>> like
>> to propose that it is a recommended algorithm in Widgets 1.0: Digital
>> Signatures [5] (e.g. a SHOULD).
>
> Sorry, it doesn't make sense to have them as a "should" in this
> context. Either they are in or out because in practice engines will
> need to support all prescribed algorithms. Lets keep to the smallest
> possible subset of most commonly used algorithms in 1.0; every
> algorithm we add makes this specification more difficult/expensive to
> implement, adds more points of failure, etc. If the market shifts to
> new algorithms, then we can add those later in a new draft.
>
> Kind regards,
> Marcos
> -- 
> Marcos Caceres
> http://datadriven.com.au
>

Received on Thursday, 23 April 2009 12:21:31 UTC