Proposed XML Signature changes related to FIPS-186-3 from Frederick Hirsch on 2009-06-11 (public-xmlsec@w3.org from June 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 11 Jun 2009 17:56:43 -0400
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <8AD5C940-AF09-4C74-8068-4FCB4862E08D@nokia.com>

(1) I propose we revise  the security consideration in 6.4.1 since DSS  
now does support longer parameter sizes.

http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-DSA

How about the following proposed revision:

Per FIPS 186-3 [DSS], the DSA security parameter L is defined to be  
1024, 2048 or 3072 and the corresponding DSA q value is defined to be  
160, 224/256 and 256 respectively. Special Publication SP 800-57 Part  
1 [SP800-57], NIST recommends using at least at 2048-bit public keys  
for securing information beyond 2010 (and 3072-bit keys for securing  
information beyond 2030).

Since XML Signature 1.0 required implementations to support DSA-based  
digital signatures, this XML Signature 1.1 revision REQUIRES signature  
verifiers to implement DSA in order to guarantee interoperability with  
XML Signature 1.0 generators. XML Signature 1.1 implementations MAY  
but are NOT REQUIRED to support DSA-based signature generation. We do  
not recommend use of DSA with 1024-bit prime moduli for signatures  
that will be verified beyond 2010. Longer available values should be  
used.
For reference the current text is as follows:

Implementers of XML Signature 1.1 should be aware that as of the time  
of publication the permitted parameter sizes for DSA are too small to  
be used for long-term signatures. Per FIPS 186-2 Change Notice 1  
[DSS], the DSA security parameter L is defined to be exactly 1024 and  
the corresponding DSA prime modulus p is defined to be in the interval  
2^1023 < p < 2^1024. However, in Special Publication SP 800-57 Part 1  
[SP800-57], NIST recommends using at least at 2048-bit public keys for  
securing information beyond 2010 (and 3072-bit keys for securing  
information beyond 2030). (A forthcoming revision to FIPS 186 (FIPS  
186-3) will allow DSA to be used with longer prime moduli and the  
SHA-256/SHA-384/SHA-512 hash functions.)

Since XML Signature 1.0 required implementations to support DSA-based  
digital signatures, this XML Signature 1.1 revision REQUIRES signature  
verifiers to implement DSA in order to guarantee interoperability with  
XML Signature 1.0 generators. XML Signature 1.1 implementations MAY  
but are NOT REQUIRED to support DSA-based signature generation, and  
given the short key size and the SP800-57 guidelines we do not  
recommend use of DSA as currently limited to 1024-bit prime moduli for  
signatures that will be verified beyond 2010.


(2) I propose we remove the reference to FIPS 186-2

DSS
FIPS PUB 186-2. Digital Signature Standard (DSS). U.S. Department of  
Commerce/National Institute of Standards and Technology.
http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf

(3) Propose we rename target from FIPS 186-3 to DSS

Should we revisit whether the must/recommended in this case?

regards, Frederick

Frederick Hirsch
Nokia

Received on Thursday, 11 June 2009 21:58:37 UTC