Fwd: [saag] Heads-up: XML Signature 1.1 W3C Last Call coming up from Thomas Roessler on 2009-11-08 (public-xmlsec@w3.org from November 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Sun, 8 Nov 2009 15:29:57 -0800
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Thomas Roessler <tlr@w3.org>
Message-Id: <68966B83-FFFB-4B33-859C-72F4B6835BCB@w3.org>
Forwarding with permission.
--
Thomas Roessler, W3C  <tlr@w3.org>







Begin forwarded message:

> From: Anthony Bryan <anthonybryan@gmail.com>
> Date: 7 November 2009 12:17:04 PST
> To: tlr@w3.org
> Subject: Re: [saag] Heads-up: XML Signature 1.1 W3C Last Call coming  
> up
>
> Greetings Thomas,
>
> I'm working on an Internet Draft that describes an XML format for
> describing downloads: http://tools.ietf.org/html/draft-bryan-metalink
>
> Most of the text concerning xmldsig-core is borrowed from the Atom RFC
> with changes from suggestions on the IETF secdir mailing list because
> our community has no experience with this.
>
> I was wondering if you know of someone who could provide review, and
> tell us if what we have is sufficient?
>
> If so, here are the relevant sections, around 10 sentences:
>
> http://tools.ietf.org/html/draft-bryan-metalink-21#section-5
>
> 5. Securing Metalink Documents
>
>
>   Because Metalink is an XML-based format, existing XML security
>   mechanisms can be used to secure its content.
>
>   Producers of Metalink Documents may have sound reasons for signing
>   otherwise-unprotected content.  For example, a merchant might
>   digitally sign a Metalink that lists a file download to verify its
>   origin.  Other merchants may wish to sign and encrypt Metalink
>   Documents that list digital songs that have been purchased.  Of
>   course, many other examples are conceivable as well.
>
>   The algorithm requirements in this section pertain to the Metalink
>   Processor.  They require that a recipient, at a minimum, be able to
>   handle messages that use the specified cryptographic algorithms.
>   These requirements do not limit the algorithms that the sender can
>   choose.
>
>   Metalink Processors that verify signed Metalink Documents MUST at
>   least support XML-Signature and Syntax Processing [REC-xmldsig- 
> core].
>
> http://tools.ietf.org/html/draft-bryan-metalink-21#section-8.4
>
> 8.4. Signing
>
>
>   Metalink Documents SHOULD be signed using [REC-xmldsig-core] and are
>   subject to the security considerations implied by its use.  This
>   addresses the issue of spoofing.
>
>   Digital signatures provide authentication, message integrity, and
>   non-repudiation with proof of origin.
>
>
> Thank you for your input.
>
>
> On Fri, Nov 6, 2009 at 3:00 PM,  <saag-request@ietf.org> wrote:
>> Date: Thu, 5 Nov 2009 12:07:01 -0800
>> From: Thomas Roessler <tlr@w3.org>
>> Subject: [saag] Heads-up: XML Signature 1.1 W3C Last Call coming up
>> To: saag@ietf.org, Tim Polk <tim.polk@nist.gov>,  
>> Pasi.Eronen@nokia.com
>> Cc: Mark Nottingham <mnot@mnot.net>,    Frederick Hirsch
>>        <Frederick.Hirsch@nokia.com>
>> Message-ID: <C15998BD-B8AB-4245-92B4-300869401C5D@w3.org>
>> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes
>>
>> As a heads-up, the W3C XML Security Working Group is planning to take
>> its XML Signature 1.1 and XML Encryption 1.1 specifications to W3C
>> Last Call within the next few weeks.  Main changes against XML
>> Signature 1.0 and XML Encryption 1.0 relate to including support for
>> Suite B algorithms (including mark-up for key material).  The group  
>> is
>> wrapping up discussions about making these algorithms mandatory to
>> implement in the Last Call Working Draft; however, that would be up
>> for further investigation and possibly subject to change as the specs
>> move further along the W3C recommendation track.
>>
>> Review of the editor's drafts would be welcome:
>>   http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/
>>   http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/
>>
>> We'll send a formal review request through the W3C/IETF liaison
>> channel once the Last Call Working Drafts are out.
>>
>> On a related note, the Working Group recently published a First  
>> Public
>> Working Draft of XML Security Generic Hybrid Ciphers.  That
>> specification, too would benefit from early review:
>>   http://www.w3.org/TR/xmlsec-generic-hybrid/
>>
>> If you have any questions, please don't hesitate to contact Frederick
>> Hirsch (WG chair; copied on this note) or myself.  Unfortunately,
>> neither of us will be able to travel to Hiroshima.
>>
>> Regards,
>> --
>> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
> -- 
> (( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
>  )) Easier, More Reliable, Self Healing Downloads
>
Received on Sunday, 8 November 2009 23:31:34 UTC