- From: Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>
- Date: Thu, 8 Nov 2007 14:50:48 -0500
- To: "Konrad Lanz" <Konrad.Lanz@iaik.tugraz.at>
- Cc: <w3c-ietf-xmldsig@w3.org>, "XMLSec" <public-xmlsec-maintwg@w3.org>, "Reinhard Posch" <Reinhard.Posch@iaik.tugraz.at>, "Herbert Leitold" <Herbert.Leitold@a-sit.at>, "Peter Lipp" <Peter.Lipp@iaik.tugraz.at>
Hi Konrad, RFC 4051 says that no more URIs will be added under http://www.w3.org/2001/04/xmldsig-more but earlier this year http://www.w3.org/2007/05/xmldsig-more was explicitly allocated for additions. (RFC 4051: "it is not intended that any additional "http://www.w3.org/2001/04/xmldsig-more#" URIs be created beyond those enumerated in this document.") I am in the process of producing an Internet Draft leading to an RFC to replace RFC 4051 and will include http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160 described as you request. Others on the mailing lists to which this is sent should note that this is a good time to request other additions to the successor to RFC 4051. Thanks, Donald ==================================================== Donald E. Eastlake 3rd +1-508-786-7554 (work) Motorola Laboratories 111 Locke Drive Marlborough, MA 01752 USA Donald.Eastlake@motorola.com > -----Original Message----- > From: Konrad Lanz [mailto:Konrad.Lanz@iaik.tugraz.at] > Sent: Monday, October 29, 2007 12:06 PM > To: Eastlake III Donald-LDE008 > Cc: w3c-ietf-xmldsig@w3.org; XMLSec; Reinhard Posch; Herbert > Leitold; Peter Lipp > Subject: Request for a new SignatureMethod Algorithm > Identifier in RFC 4051 > > Dear Donald Eastlake, > > Giving the advances in SHA-1 collision search where first > collisions may > be expected in even less than a year and given that national > legislations explicitly require collision free hash functions and may > exclude SHA-1 immediately after first collisions, alternatives in > XMLDSIG are needed. In the ECDSA signature suites this is so > far limited > to the SHA-2 family -- no SignatureMethod Algorithm URI exists. > > As several widely deployed ECDSA solutions (e.g. smartcards) are > technically limited to 160 bit hash functions where RIPEMD160 is the > valid alternative, the risk exists that vendors or CAs are forced to > deploy proprietary EDCSA-XMLDSIG -- RIPEMD160 solutions. > > Therefore, an URI for ECDSA (ANSI X 9.62) with RIPMD160 is > urgently needed. > > We suggest to use the fragment #ecdsa-ripemd160 to be used in the > xmldsig-more namespace. > > http://www.w3.org/2001/04/xmldsig-more#ecdsa-ripemd160 > > We further propose to add the following Sentence to > http://tools.ietf.org/html/rfc4051#section-2.3.6 . > > "The #ecdsa-ripemd160 fragment of this namespace identifies a > signature > method processed in the same way as specified by the #ecdsa-sha1 > fragment of this namespace with the exception that RIPEMD160 is used > instead of SHA-1." > > kind regards > > Konrad Lanz > > -- > A-SIT > > Konrad Lanz, IAIK/SIC - Graz University of Technology > Inffeldgasse 16a, 8010 Graz, Austria > Tel: +43 316 873 5547 > Fax: +43 316 873 5520 > https://www.iaik.tugraz.at/aboutus/people/lanz > http://jce.iaik.tugraz.at > > Certificate chain (including the EuroPKI root certificate): > https://europki.iaik.at/ca/europki-at/cert_download.htm >
Received on Thursday, 8 November 2007 19:51:17 UTC