- From: Bruce Rich <brich@us.ibm.com>
- Date: Wed, 23 Jul 2008 13:03:30 -0500
- To: public-xmlsec@w3.org
- Message-ID: <OF7B977010.D520E8B3-ON8625748F.005EAE8E-8625748F.0063338E@us.ibm.com>
If the new XML Signature were in a new namespace, I don't see compatibility issues arising. Old signatures would be in a different namespace, so different rules would apply. This would permit new implementations to only support forward-facing technologies if they so choose. If we don't do something like Frederick suggested, we will have to drag an increasingly large pile of potentially-obsolete/vulnerable technology into the future. So if we would bifurcate Signature into two "streams", the first that accommodates the old algs and potentially adds some new optional algs, and the second that breaks with the past, I think we could be OK. As the newer stuff is increasingly adopted, the old alg implementations could be retired (in theory...probably about the time the last mainframe is unplugged...just before the heat death of the universe). However, if one continues to add optional algs to the old stream, it would never dry up. So in my mind the more controversial move is adding new algs to the old Signature. Bruce A Rich brich at-sign us dot ibm dot com public-xmlsec-request@w3.org wrote on 07/23/2008 12:02:51 PM: > [image removed] > > Re: Changing Signature algorithm implementation requirements > > Sean Mullan > > to: > > Frederick Hirsch > > 07/23/2008 12:04 PM > > Sent by: > > public-xmlsec-request@w3.org > > Cc: > > public-xmlsec > > > I'm concerned about relaxing algorithm requirements as this can affect > compatibility. This means existing signatures using DSA or C14N 1.0 may > not be capable of being validated with newer implementations that don't > have to support these algorithms. I think once an algorithm is required, > we should support that going forward unless there is a very good reason > not to. > > --Sean > > Frederick Hirsch wrote: > > > > XML Signature (1st and 2nd editions) have a list of mandatory and > > recommended algorithms in the implementation requirements section. > > > > http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/#sec-AlgID > > > > I'd like us to discuss whether we should change this list going forward > > as follows (independent of other more significant changes for now): > > > > 1. Signature: > > Change DSAwithSHA1 (DSS) from Required to Recommended > > Change RSAwithSHA1 from Recommended to Required > > > > Given the change in RSAwithSHA1 licensing status this change might > > better reflect implementations. > > > > 2. Canonicalization: > > > > Change Canonical XML 1.0(omits comments) from Required to Deprecated > > Change Canonical XML 1.0 with comments) from Recommended to Deprecated > > > > Given the issues with xml:id and xml:base, we may want to discourage use > > of Canonical XML 1.0 in the future. > > > > regards, Frederick > > > > Frederick Hirsch > > Nokia > > > > > > > > > >
Received on Wednesday, 23 July 2008 18:04:34 UTC