Re: Changing Signature algorithm implementation requirements

Should we consider separate requirements for generating signatures  
versus validation of signatures?

e.g. must not use C14N1.0 to generate signatures if compliant with  
Signature v.Next but must be able to verify?

regards, Frederick

Frederick Hirsch
Nokia



On Jul 23, 2008, at 1:02 PM, ext Sean Mullan wrote:

> I'm concerned about relaxing algorithm requirements as this can  
> affect compatibility. This means existing signatures using DSA or  
> C14N 1.0 may not be capable of being validated with newer  
> implementations that don't have to support these algorithms. I  
> think once an algorithm is required, we should support that going  
> forward unless there is a very good reason not to.
>
> --Sean
>
> Frederick Hirsch wrote:
>> XML Signature (1st and 2nd editions) have a list of mandatory and  
>> recommended algorithms in the implementation requirements section.
>> http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/#sec-AlgID
>> I'd like us to discuss whether we should change this list going  
>> forward as follows (independent of other more significant changes  
>> for now):
>> 1.  Signature:
>> Change DSAwithSHA1 (DSS) from Required to Recommended
>> Change RSAwithSHA1 from Recommended to Required
>> Given the change in RSAwithSHA1 licensing status this change might  
>> better reflect implementations.
>> 2. Canonicalization:
>> Change  Canonical XML 1.0(omits comments) from Required to Deprecated
>> Change  Canonical XML 1.0 with  comments) from Recommended to  
>> Deprecated
>> Given the issues with xml:id and xml:base, we may want to  
>> discourage use of Canonical XML 1.0 in the future.
>> regards, Frederick
>> Frederick Hirsch
>> Nokia
>

Received on Wednesday, 23 July 2008 17:17:22 UTC