W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2009

Is ACTION-297 the impact of ISSUE-105 (HMAC output length is defined on bits base64 on octets) on the XMLDSig 1.0 errata ? (see also: ACTION-298 and ACTION-320)

From: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at>
Date: Tue, 08 Sep 2009 18:27:00 +0200
Message-ID: <4AA685D4.1080503@iaik.tugraz.at>
To: Frederick Hirsch <frederick.hirsch@nokia.com>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
Collecting the bits together ...

It seems that [ACTION-297], [ACTION-298] and [ACTION-320] are mostly the
same thing and done already.

The only issue potentially remaining is that 1.1 solves the issue 105
for 1.1 [XMLDSig11] and not for 1.0 [XMLDSig-errata] we say nothing. For
legacy reasons shouldn't we also be able to work with HMACOutputLength
not divisible by 8.

Hence I interpret [ACTION-297] as providing text for an erratum to 1.0.

In the spirit of [ACTION-320] and [XMLDSig11], however I'm not sure we
can add a MUST/REQUIRES in an erratum, so maybe a SHOULD/RECOMMENDS
would be more appropriate:

This specification RECOMMENDS that the truncation length be a multiple
of 8 (i.e. fall on a byte boundary) because Base64 encoding operates on
full bytes for newly created signatures.

Verifying applications MAY successfully verify HMAC signatures if their
actual SignatureValue is 1 to 7 bits shorter than the HMACOutputLength
(ignoring the last partly used byte) [ACTION-298] given that the
truncation length is not below half the underlying hash algorithm's
output length, or 80 bits, whichever of these two values is greater


[XMLDSig-errata] http://www.w3.org/2008/06/xmldsigcore-errata.html
[XMLDSig11] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/#sec-HMAC
[ACTION-257] http://www.w3.org/2008/xmlsec/track/actions/257
[ACTION-297] http://www.w3.org/2008/xmlsec/track/actions/297
[ACTION-298] http://www.w3.org/2008/xmlsec/track/actions/297
[ACTION-320] http://www.w3.org/2008/xmlsec/track/actions/320
Konrad Lanz, IAIK/SIC - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5547
Fax: +43 316 873 5520

Downlaod certificate chain (including the EuroPKI root certificate):

Received on Tuesday, 8 September 2009 16:27:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:12 UTC