Re: Proposed XML Signature changes related to FIPS-186-3 from Sean Mullan on 2009-06-15 (public-xmlsec@w3.org from June 2009)

From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Mon, 15 Jun 2009 16:26:53 -0400
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-id: <4A36AE8D.20204@sun.com>

Frederick Hirsch wrote:
> (1) I propose we revise  the security consideration in 6.4.1 since DSS 
> now does support longer parameter sizes.
> 
> http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-DSA
> 
> How about the following proposed revision:
> 
> Per FIPS 186-3 [DSS], the DSA security parameter L is defined to be 
> 1024, 2048 or 3072 and the corresponding DSA q value is defined to be 
> 160, 224/256 and 256 respectively. Special Publication SP 800-57 Part 1 
> [SP800-57], NIST recommends using at least at 2048-bit public keys for 
> securing information beyond 2010 (and 3072-bit keys for securing 
> information beyond 2030).
> 
> Since XML Signature 1.0 required implementations to support DSA-based 
> digital signatures, this XML Signature 1.1 revision REQUIRES signature 
> verifiers to implement DSA in order to guarantee interoperability with 
> XML Signature 1.0 generators. XML Signature 1.1 implementations MAY but 
> are NOT REQUIRED to support DSA-based signature generation. We do not 
> recommend use of DSA with 1024-bit prime moduli for signatures that will 
> be verified beyond 2010. Longer available values should be used.
> For reference the current text is as follows:
> 
> Implementers of XML Signature 1.1 should be aware that as of the time of 
> publication the permitted parameter sizes for DSA are too small to be 
> used for long-term signatures. Per FIPS 186-2 Change Notice 1 [DSS], the 
> DSA security parameter L is defined to be exactly 1024 and the 
> corresponding DSA prime modulus p is defined to be in the interval 
> 2^1023 < p < 2^1024. However, in Special Publication SP 800-57 Part 1 
> [SP800-57], NIST recommends using at least at 2048-bit public keys for 
> securing information beyond 2010 (and 3072-bit keys for securing 
> information beyond 2030). (A forthcoming revision to FIPS 186 (FIPS 
> 186-3) will allow DSA to be used with longer prime moduli and the 
> SHA-256/SHA-384/SHA-512 hash functions.)
> 
> Since XML Signature 1.0 required implementations to support DSA-based 
> digital signatures, this XML Signature 1.1 revision REQUIRES signature 
> verifiers to implement DSA in order to guarantee interoperability with 
> XML Signature 1.0 generators. XML Signature 1.1 implementations MAY but 
> are NOT REQUIRED to support DSA-based signature generation, and given 
> the short key size and the SP800-57 guidelines we do not recommend use 
> of DSA as currently limited to 1024-bit prime moduli for signatures that 
> will be verified beyond 2010.
> 
> 
> (2) I propose we remove the reference to FIPS 186-2
> 
> DSS
> FIPS PUB 186-2. Digital Signature Standard (DSS). U.S. Department of 
> Commerce/National Institute of Standards and Technology.
> http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf
> 
> (3) Propose we rename target from FIPS 186-3 to DSS
> 
> Should we revisit whether the must/recommended in this case?

Yes. I'm concerned there is not enough demand for 2048 bit DSA as well as FIPS 
186-3 being just published to warrant making this a MUST/RECOMMENDED requirement 
(even for validation only).

--Sean

Received on Monday, 15 June 2009 20:27:33 UTC