- From: Kelvin Yiu <kelviny@exchange.microsoft.com>
- Date: Fri, 7 Nov 2008 15:42:49 -0800
- To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
- Message-ID: <B50E442C206C3045BD85290E7AA3FD4988F5E5218A@df-whippet-msg.exchange.corp.microso>
Background: RFC 4050 is an informational RFC that defines a method of
representing ECDSA public keys and ECC curve parameters for use with XMLDSIG.
As part of the new alg work for XMLDSIG 1.1 I've been investigating whether
RFC 4050 is an appropriate starting point for our ECDSA support. In particular,
I've been looking at whether we can import the ECDSAKeyValue and ECPointType
elements into XMLDSIG easily. Here is a summary of the problems.
The RFC 4050 definition of an ECDSAKeyValue is larger than necessary
An ECDSAKeyValue is defined by the type ECPointType, which has subelements
X and Y. X and Y are defined as FieldParamsType which is an abstract type.
Separate derived types are defined for prime fields, trinomial base fields,
pentanomial base fields, and odd characteristic extension fields. In order
to validate against the 4050 schema, one must include the type attribute
from the Xml schema instance namespace.
The example below was (mostly) generated using .NET 3.5 on Vista SP1,
except that I had to manually add the xsi:type attribute in order to make
it conform to the RFC 4050 schema.
<ECDSAKeyValue xmlns="http://www.w3.org/2001/04/xmldsig-more#">
<DomainParameters>
<NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/>
</DomainParameters>
<PublicKey xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<X Value="58511060653801744393249179046482833320204931884267326155134056258624064349885"
xsi:type="PrimeFieldElemType"/>
<Y Value="102403352136827775240910267217779508359028642524881540878079119895764161434936"
xsi:type="PrimeFieldElemType"/>
</PublicKey>
</ECDSAKeyValue>
This is not a significant problem but it does make the public key larger
than necessary.
ECPointType definition is inconsistent with ANSI X9.62 and RFC 3279
ECPointType is reused in the definition of the ExplicitParamsType to
describe the base point of a curve. ExplicitParamsType is defined as
<xs:complexType name="ExplicitParamsType">
<xs:sequence>
<xs:element name="FieldParams" type="ecdsa:FieldParamsType"/>
<xs:element name="CurveParams" type="ecdsa:CurveParamsType"/>
<xs:element name="BasePointParams"
type="ecdsa:BasePointParamsType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CurveParamsType">
<xs:sequence>
<xs:element name="A" type="ecdsa:FieldElemType"/>
<xs:element name="B" type="ecdsa:FieldElemType"/>
<xs:element name="Seed" type="xs:hexBinary" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="BasePointParamsType">
<xs:sequence>
<xs:element name="BasePoint" type="ecdsa:ECPointType"/>
<xs:element name="Order" type="xs:positiveInteger"/>
<xs:element name="Cofactor" type="xs:positiveInteger"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
Notice that the field parameters are already included in the FieldParams
element. The use of the FieldParamsType in the ECPointType definition
appears to be a mistake in 4050. If you look at the ASN.1 definition for
ECC public keys in RFC 3279, ECPoint simply references the Point to Octet
String conversion function in ANSI X9.62 (section A.5.6 in the 2005
version, section 4.3.6 in the 1998 version). The conversion functions in
X9.62 are not ASN.1 specific and I believe they would be implemented as
part of any ECC crypto library. It appears that RFC 4050 tried to avoid
using any of the conversion functions in X9.62 but somehow mixed up the
definitions between a field type and a field element.
Limitation of the decimal type in XSD
RFC 4050 defines X and Y (at least for prime and odd characteristic
extension fields) as xs:nonNegativeInteger which derives from the
xs:decimal primitive type. However, XSD requires implementations to support
only a minimum of 18 digits.
http://www.w3.org/TR/xmlschema-2/#decimal
My example above required 77 and 78 digits for X and Y respectively.
This means that there is no guarantee that an RFC 4050 compliant
ECDSAKeyValue element will actually validate against the RFC 4050 schema.
(It did not when I tried the example above with the XML editor in Visual
Studio 2008, for example).
Collision between the RFC 4050 DTD and the XMLDSIG DTD
I could not merge the RFC 4050 DTD into the XMLDSIG DTD. In ECDSAKeyValue,
Y is defined as:
<!ELEMENT Y EMPTY>
<!ATTLIST Y Value CDATA #REQUIRED>
However, DSAKeyValue defines Y as follows:
<!ELEMENT Y (#PCDATA) >
ECDSAKeyValue also contains identical definition for elements SEED and P
as DSAKeyValue.
I don't know if there is a way to scope the definition of Y under a
specific element in DTD.
Proposed Solution
Because of these issues, I believe XMLDSIG 1.1 should not attempt to reuse
the RFC 4050 ECDSAPublicKey elements. Instead, I proposed that XMLDSIG 1.1
define a new ECPublicKey element in the ds namespace to address problems
in the RFC 4050 schema and will be based on the ASN.1 definition in ANSI
X9.62 and RFC 3279. Changing the name of the element to ECPublicKey means
we can reuse it when we update Xml Encryption to support ECDH.
To maximize interoperability with existing RFC 4050 implementations, I
would like to put a note in 1.1 to recommend implementations to support a
profile of RFC 4050. The profile will support only named prime curves
which is basically the example above.
Kelvin
Received on Friday, 7 November 2008 23:43:36 UTC