- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Wed, 23 Jul 2008 13:15:27 -0400
- To: "ext Sean Mullan" <Sean.Mullan@Sun.COM>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, public-xmlsec@w3.org
Should we consider separate requirements for generating signatures versus validation of signatures? e.g. must not use C14N1.0 to generate signatures if compliant with Signature v.Next but must be able to verify? regards, Frederick Frederick Hirsch Nokia On Jul 23, 2008, at 1:02 PM, ext Sean Mullan wrote: > I'm concerned about relaxing algorithm requirements as this can > affect compatibility. This means existing signatures using DSA or > C14N 1.0 may not be capable of being validated with newer > implementations that don't have to support these algorithms. I > think once an algorithm is required, we should support that going > forward unless there is a very good reason not to. > > --Sean > > Frederick Hirsch wrote: >> XML Signature (1st and 2nd editions) have a list of mandatory and >> recommended algorithms in the implementation requirements section. >> http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/#sec-AlgID >> I'd like us to discuss whether we should change this list going >> forward as follows (independent of other more significant changes >> for now): >> 1. Signature: >> Change DSAwithSHA1 (DSS) from Required to Recommended >> Change RSAwithSHA1 from Recommended to Required >> Given the change in RSAwithSHA1 licensing status this change might >> better reflect implementations. >> 2. Canonicalization: >> Change Canonical XML 1.0(omits comments) from Required to Deprecated >> Change Canonical XML 1.0 with comments) from Recommended to >> Deprecated >> Given the issues with xml:id and xml:base, we may want to >> discourage use of Canonical XML 1.0 in the future. >> regards, Frederick >> Frederick Hirsch >> Nokia >
Received on Wednesday, 23 July 2008 17:17:22 UTC