Proposed changes to XML Encryption 1.1 CR Draft from Frederick.Hirsch@nokia.com on 2011-08-10 (public-xmlsec@w3.org from August 2011)

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 10 Aug 2011 21:10:22 +0000
To: <public-xmlsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <7CF0B52E-F7A9-426A-8B45-D6C598BE5AD0@nokia.com>

I have some proposed changes to the XML Encryption 1.1 CR draft [1]:

(1) PKCS1 [2]  discusses security proofs related to   RSAES-PKCS1-v1_5 and RSAES-OAEP , in particular for chosen cipher text attacks (see section 7). It states 

"RSAES-OAEP is recommended for new applications;  RSAES-PKCS1-v1_5 is included only for compatibility with existing applications, and is not recommended for new applications"

I suggest we update XML Encryption 1.1 to support this  (best practice) advice by 

(1a) changing the Key Transport item in  "5.1.1 Table of Algorithms"  from

required RSA-v1.5
http://www.w3.org/2001/04/xmlenc#rsa-1_5

to

required RSA-v1.5 (Use is DISCOURAGED; see Note below)
http://www.w3.org/2001/04/xmlenc#rsa-1_5

with corresponding
Note:  RSA-v1.5 is required for backward compatibility to decrypt keys, but should not be used to encrypt keys, as noted in PKCS1. RSA-OAEP should be used instead.)

(1b) In section "5.5.1 RSA Version 1.5" remove "(required)" after the identifier URL (as we did for SHA-1)

(2) Editorial: in  "5.1.1 Table of Algorithms"  for SHA-1 it states " (Use is DISCOURAGED; see below)" but this "see below" is not a link  and thus not easy to follow.

We should update this to mimic the text in XML Signature 1.1, with "(Use is DISCOURAGED; see SHA-1 Warning)" where "SHA-1 Warning" is a link to the Message Digest section 5.8 that already contains the warning text. (In XML Signature we put that warning text in the SHA-1 section, tI suggest we do that here as well).

(3) Section 5.5.2 RSA-OAEP states

"The desired output length for EME-OAEP-ENCODE is one byte shorter than the RSA modulus."

PKCS1 states that the output is the length of the RSA modulus k (see item 2i in 7.1.1). 

I suggest we remove this sentence (PKCS1 is the normative reference and details this material)

We could argue all these changes are editorial as #1 is advice on proper use that reflects what is already in PKCS1.

regards, Frederick

Frederick Hirsch
Nokia

[1] http://www.w3.org/TR/2011/CR-xmlenc-core1-20110303/

[1] http://www.ietf.org/rfc/rfc3447.txt

This should complete ACTION-822

Received on Wednesday, 10 August 2011 21:10:55 UTC