RE: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

Hi Frederick, All,

Actually, Vodafone are staying silent on whether this should be a MUST
for XML Signature 1.1 specification. However we are saying that we won't
object, which I had previously indicated that we might on the WebApps
call.

Regards,

Mark  

-----Original Message-----
From: Frederick Hirsch [mailto:Frederick.Hirsch@nokia.com] 
Sent: 23 April 2009 13:20
To: ext David Rogers
Cc: Frederick Hirsch; marcosc@opera.com; Priestley, Mark, VF-Group; Web
Applications Working Group WG; Babbage, Steve, VF-Group
Subject: Re: [widget-digsig] Pls review: Additional considerations on
elliptic curve algorithms to consider

I agree .  Also to be clear Mark, I believe you are saying VF supports a
MUST in the XML Signature 1.1 specification.

regards, Frederick

Frederick Hirsch
Nokia



On Apr 23, 2009, at 8:15 AM, ext David Rogers wrote:

> Marcos,
>
> Surely the logic should support algorithm evolution in that way. If it

> is a SHOULD it doesn't mean that engines need to support all 
> algorithms - that would be a SHALL? If we say nothing at all, you run 
> the risk of dropping off a security cliff if you need to migrate in 
> the future. A SHOULD at least prescribes an intended roadmap and gives

> the option for implementers to go for that if they so choose.
>
> Thanks,
>
> David.
>
> -----Original Message-----
> From: public-webapps-request@w3.org 
> [mailto:public-webapps-request@w3.org
> ] On Behalf Of Marcos Caceres
> Sent: 23 April 2009 08:53
> To: Priestley, Mark, VF-Group
> Cc: Frederick Hirsch; Web Applications Working Group WG; Babbage, 
> Steve, VF-Group
> Subject: Re: [widget-digsig] Pls review: Additional considerations on 
> elliptic curve algorithms to consider
>
> On Thu, Apr 23, 2009 at 9:31 AM, Priestley, Mark, VF-Group 
> <Mark.Priestley@vodafone.com> wrote:
>> Hi Frederick, All,
>>
>> Vodafone supports the move to support ECDSA in XML Signature 1.1 [2] 
>> and welcomes the new clarifying text. Vodafone will not object to
>> ECDSAwithSHA256 being specified as mandatory [2] however we would 
>> like to propose that it is a recommended algorithm in Widgets 1.0: 
>> Digital Signatures [5] (e.g. a SHOULD).
>
> Sorry, it doesn't make sense to have them as a "should" in this 
> context. Either they are in or out because in practice engines will 
> need to support all prescribed algorithms. Lets keep to the smallest 
> possible subset of most commonly used algorithms in 1.0; every 
> algorithm we add makes this specification more difficult/expensive to 
> implement, adds more points of failure, etc. If the market shifts to 
> new algorithms, then we can add those later in a new draft.
>
> Kind regards,
> Marcos
> --
> Marcos Caceres
> http://datadriven.com.au
>

Received on Thursday, 23 April 2009 16:09:18 UTC