- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Thu, 19 Mar 2009 10:20:39 -0400
- To: public-webapps@w3.org
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Mark Priestley <Mark.Priestley@vodafone.com>
Mark I'll change the sentence to read "The ds:Signature MUST be produced using a key of the recommended key length or stronger." Probably should change term from "recommended key length" to "minimum key length". Later when we update algorithms we probably should review whether we need key length defined for each algorithm but can defer for now. Will this change of sentence work ? Thanks regards, Frederick Frederick Hirsch Nokia (for some reason this message of yours did not reach my personal inbox, but it was on the list) Hi Frederick, I agree with all of your changes with two comments. The sentence: "The Signature MUST be produced using a key of the recommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length > " is still problematic given that we allow (although discourage) key lengths less than the recommended key length, and probably don't want to rule out the use of longer keys. Suggest changing to: "The Signature SHOULD be produced using a key of the recommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> . The Signature MUST comply with Signature method algorithm requirements in the Algorithms section of this document" I also think we need to link recommended key length to algorithms now we allow other algorithms to be used, ie if ECDSA is used it would be OK to use shorter keys. Thanks, Mark _
Received on Thursday, 19 March 2009 14:23:10 UTC