- From: <aldrin.dsouza@rsa.com>
- Date: Sun, 28 Feb 2010 06:45:02 -0500
- To: <mnystrom@microsoft.com>, <public-xmlsec@w3.org>
- Message-ID: <901E1BC8E8EF9345BB8FB1EE99D0F31605D5959D@CORPUSMX70B.corp.emc.com>
> I think there should at least be an informal reference to the PKCS #5 > v2.0 Amd.1 document since it does give the reader more background on the > constructs and is the source of the XML schema herein. >-- Magnus I agree. I've reworded the first paragraph thus: -------------------------------------------------------------------------------- The PBKDF2 key derivation algorithm and the ASN.1 type definitions for its parameters are defined in PKCS #5v2.0 [PKCS5]. The XML schema definitions for the parameters is defined in [PKCS5Amd1] and the same can be specified by enclosing them within an xmlenc11:PBKDF2-params child element of the xmlenc11:KeyDerivationMethod element. [PKCS5Amd1]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5Amd1 -------------------------------------------------------------------------------- Does this look good? thanks, -- ajd. -----Original Message----- From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Magnus Nystrom Sent: Thursday, February 25, 2010 10:05 PM To: D'Souza, Aldrin; public-xmlsec@w3.org Subject: RE: ACTION 515: Propose schema addition for ISSUE-186 > -----Original Message----- > From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] > On Behalf Of aldrin.dsouza@rsa.com > Sent: Wednesday, February 24, 2010 10:31 PM > To: public-xmlsec@w3.org > Subject: ACTION 515: Propose schema addition for ISSUE-186 > > Here's the proposed text for section 5.4.2 of XML Encryption 1.1. As > discussed, I've removed the reference to the PKCS#5 schema amendment > document > and copied the schema definitions (as defined there) inline. Please review. > > -------------------------------------------------------------------------------- > 5.4.2 PBKDF2 > > Identifier: > http://www.w3.org/2010/xmlenc11#pbkdf2 (OPTIONAL) > > The PBKDF2 key derivation algorithm and the ASN.1 type definitions for > its parameters are defined in PKCS #5v2.0 [PKCS5]. The algorithm > parameters > can be specified by enclosing them within an xmlenc11:PBKDF2-params child > element of the xmlenc11:KeyDerivationMethod element. > > Schema Definition: > > <element name="PBKDF2-params" type="xmlenc11:PBKDF2ParameterType"/> > > <complexType name="AlgorithmIdentifierType"> > <sequence> > <element name="Parameters" minOccurs="0"/> > </sequence> > <attribute name="Algorithm"/> > </complexType> > > <complexType name="PRFAlgorithmIdentifierType"> > <complexContent> > <restriction base="AlgorithmIdentifierType"> > <attribute name="Algorithm" type="anyURI" > default="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > </restriction> > </complexContent> > </complexType> > > <complexType name="PBKDF2ParameterType"> > <sequence> > <element name="Salt"> > <complexType> > <choice> > <element name="Specified" type="base64Binary"/> > <element name="OtherSource" > type="xmlenc11:AlgorithmIdentifierType"/> > </choice> > </complexType> > </element> > <element name="IterationCount" type="positiveInteger"/> > <element name="KeyLength" type="positiveInteger"/> > <element name="PRF" type="xmlenc11:PRFAlgorithmIdentifierType"/> > </sequence> > </complexType> > > The PBKDF2-params element and its child elements have the same names and > meaning as the corresponding components of the PBKDF2-params ASN.1 type > in [PKCS5]. > > The AlgorithmIdentifierType corresponds to the AlgorithmIdentifier type > of [PKCS5] and carries the algorithm identifier in the Algorithm > attribute. Algorithm specific parameters, where applicable, can be > specified using the Parameters element. > > The PRFAlgorithmIdentifierType is derived from the > AlgorithmIdentifierType and constrains the choice of algorithms to those > contained in the PBKDF2-PRFs set defined in [PKCS5]. This type is used to > specify a pseudorandom function for PBKDF2 and the default PRF algorithm > (HMAC-SHA1) is the same as in [PKCS5]. It is RECOMMENDED to use > HMAC-SHA256 as the PRF algorithm (see [XML-DSIG], [HMAC]). > > An example of an xmlenc11:DerivedKey element with this key derivation > algorithm is: > > <xenc11:DerivedKey > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"> > <xenc11:KeyDerivationMethod > Algorithm="http://www.w3.org/2010/xmlenc11#pbkdf2"> > <xenc11:PBKDF2-params> > <xenc11:Salt> > <xenc11:Specified>Df3dRAhjGh8=</xenc11:Specified> > </xenc11:Salt> > <xenc11:IterationCount>2000</xenc11:IterationCount> > <xenc11:KeyLength>16</xenc11:KeyLength> > <xenc11:PRF > Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/> > </xenc11:PBKDF2-params> > </xenc11:KeyDerivationMethod> > <xenc:ReferenceList> > <xenc:DataReference URI="#ED"/> > </xenc:ReferenceList> > <xenc11:MasterKeyName>Our shared secret</xenc11:MasterKeyName> > </xenc11:DerivedKey> > > References: > > [PKCS5]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5 > [XML-DSIG]: http://www.w3.org/TR/xmlenc-core1/#ref-XML-DSIG > [HMAC]: http://www.w3.org/TR/xmlenc-core1/#ref-HMAC > -------------------------------------------------------------------------------- > > thanks, > -- > ajd. >
Received on Sunday, 28 February 2010 11:45:49 UTC