Please review: proposed FIPS reference changes for XML Signature, Second Edition from Frederick Hirsch on 2008-03-05 (public-xmlsec-maintwg@w3.org from March 2008)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Wed, 5 Mar 2008 10:51:14 -0500
To: XMLSec XMLSec <public-xmlsec-maintwg@w3.org>
Cc: Thomas Roessler <tlr@w3.org>
Message-Id: <B2B1E2EF-6A9B-4CCC-BA00-84601C0AE327@nokia.com>

We have two issues related to the FIPS references in the XML  
Signature draft

1. We reference FIPS 186-2 for DSS, with a URI that doesn't exist any  
more:

   http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#ref-DSS

Proposal is to update that link from:

   http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf

to:

   http://csrc.nist.gov/publications/fips/fips186-2/fips186-2- 
change1.pdf

The change notice section notes a restriction related to  the DSA  
modulus, and also changes related to random number generation.

It is important that participants in the XML Signature, Second  
Edition WG indicate whether changing this reference is an issue (or  
not) for their implementations. Please send a message to the members  
list noting whether the reference change is acceptable or not.

2. We reference FIPS 180-1 for SHA-1:

   http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/#ref-SHA-1

(FIPS 180-1 is also linked from section 6.2.1.)

The links we are using for 180-1 are no longer working, and FIPS  
180-1 has been superseded by FIPS 180-2 (with a change notice).

The proposal is to change the normative reference for SHA-1 to FIPS  
180-2.

   http://csrc.nist.gov/publications/fips/fips180-2/ 
fips180-2withchangenotice.pdf

The change here seems to be to add additional hash algorithms which  
would not impact XML Signature, Second Edition.

(It appears as though a FIPS 180-3 is scheduled for publication some  
time soon, which would in turn supersede 180-2.
http://csrc.nist.gov/publications/drafts/fips_180-3/ 
draft_fips-180-3_June-08-2007.pdf )

Please review these proposed changes  and post any suggestion or  
concern  on the public list (or for product/implementation  
acceptability or issues  on the members list). We would like to  
resolve this issue on the mailing lists this week if possible.

Thanks

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security Specifications Maintenance WG

Received on Wednesday, 5 March 2008 15:52:49 UTC