Re: Changing Signature algorithm implementation requirements from Bruce Rich on 2008-07-23 (public-xmlsec@w3.org from July 2008)

From: Bruce Rich <brich@us.ibm.com>
Date: Wed, 23 Jul 2008 13:03:30 -0500
To: public-xmlsec@w3.org
Message-ID: <OF7B977010.D520E8B3-ON8625748F.005EAE8E-8625748F.0063338E@us.ibm.com>

If the new XML Signature were in a new namespace, I don't see 
compatibility issues arising.
Old signatures would be in a different namespace, so different rules would 
apply.
This would permit new implementations to only support forward-facing 
technologies if they so choose.
If we don't do something like Frederick suggested, we will have to drag an 
increasingly large pile of potentially-obsolete/vulnerable technology into 
the future.

So if we would bifurcate Signature into two "streams", the first that 
accommodates the old algs and potentially adds some new optional algs,
and the second that breaks with the past, I think we could be OK.
As the newer stuff is increasingly adopted, the old alg implementations 
could be retired (in theory...probably about the time the last mainframe 
is unplugged...just before the heat death of the universe).
However, if one continues to add optional algs to the old stream, it would 
never dry up.  So in my mind the more controversial move is adding new 
algs to the old Signature.

Bruce A Rich
brich at-sign us dot ibm dot com

public-xmlsec-request@w3.org wrote on 07/23/2008 12:02:51 PM:

> [image removed] 
> 
> Re: Changing Signature algorithm implementation requirements
> 
> Sean Mullan 
> 
> to:
> 
> Frederick Hirsch
> 
> 07/23/2008 12:04 PM
> 
> Sent by:
> 
> public-xmlsec-request@w3.org
> 
> Cc:
> 
> public-xmlsec
> 
> 
> I'm concerned about relaxing algorithm requirements as this can affect 
> compatibility. This means existing signatures using DSA or C14N 1.0 may 
> not be capable of being validated with newer implementations that don't 
> have to support these algorithms. I think once an algorithm is required, 

> we should support that going forward unless there is a very good reason 
> not to.
> 
> --Sean
> 
> Frederick Hirsch wrote:
> > 
> > XML Signature (1st and 2nd editions) have a list of mandatory and 
> > recommended algorithms in the implementation requirements section.
> > 
> > http://www.w3.org/TR/2008/PER-xmldsig-core-20080326/#sec-AlgID
> > 
> > I'd like us to discuss whether we should change this list going 
forward 
> > as follows (independent of other more significant changes for now):
> > 
> > 1.  Signature:
> > Change DSAwithSHA1 (DSS) from Required to Recommended
> > Change RSAwithSHA1 from Recommended to Required
> > 
> > Given the change in RSAwithSHA1 licensing status this change might 
> > better reflect implementations.
> > 
> > 2. Canonicalization:
> > 
> > Change  Canonical XML 1.0(omits comments) from Required to Deprecated
> > Change  Canonical XML 1.0 with  comments) from Recommended to 
Deprecated
> > 
> > Given the issues with xml:id and xml:base, we may want to discourage 
use 
> > of Canonical XML 1.0 in the future.
> > 
> > regards, Frederick
> > 
> > Frederick Hirsch
> > Nokia
> > 
> > 
> > 
> > 
> 
>

Received on Wednesday, 23 July 2008 18:04:34 UTC