- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Fri, 16 Dec 2011 07:51:47 -0500
- To: ext Brian LaMacchia <bal@microsoft.com>
- CC: Thomas Roessler <tlr@w3.org>, Philippe Le Hegaret <plh@w3.org>, Frederick Hirsch <frederick.hirsch@nokia.com>, Marcos Caceres <marcosscaceres@gmail.com>, Doug Schepers <schepers@w3.org>, Rigo Wenning <rigo@w3.org>, public-webapps <public-webapps@w3.org>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>, Magnus Nystrom <mnystrom@microsoft.com>
On 12/15/11 11:51 AM, ext Brian LaMacchia wrote: > Hello all, > > Sorry for coming to this thread late (I'm on vacation) but I want to comment on a number of points raised during this thread: > > 1) Concerning the suggestion to move ECDSA out of XMLDSIG 1.1, that suggestion is a non-starter for XMLDSIG. One of the main motivations for XMLDSIG 1.1 is to update the spec to support Suite B cryptography, and that means ECDSA support has to be there. Delaying ECC is not a viable option for XMLDSIG. And further delaying widgets-digsig while waiting for money to fall from the sky doesn't seem like a particularly viable option either. (I don't understand the violent opposition for an additional version of XMLSig that includes everything in XMLSig1.1 CR minus the ECC refs nor why the specs aren't crafted such that the syntax and algorithms are in separate specs.) > 2) I do not understand the comments that Widget-DSig is independent of ECC. As far as I can tell from reading the spec, while Widget-Dsig makes certain recommendations about algorithms and key sizes legally Widget-DSig has to work with any XMLDSIG 1.1 mandatory-to-implement option. That is, Widget-DSig does not *profile* XMLDSIG 1.1 but simply says "use XMLDSIG 1.1". Since ECDSA-SHA256 is a mandatory-to-implement signature algorithm in XMLDSIG 1.1, every Widget-DSig implementation would have to support it (it would be violating the XMLDSIG 1.1 spec otherwise). One view here is that ECC is XMLSig's direct problem. XMLSig should be responsible for testing ECC - not widgets-digsig. An analogy is HTML5 and CSS2.1: HTML5 normatively references CSS2.1 but there is no expectation the HTML5's test suite will test every assertion in CSS2.1. I think this applies with widgets-digsig and XMLSig and in this view, they are "independent". -AB
Received on Friday, 16 December 2011 12:52:09 UTC