RE: Call for Consensus: Proposed algorithm change to XML Encryption 1.1 - Deadline 28 August from Hal Lockhart on 2012-08-16 (public-xmlsec@w3.org from August 2012)

From: Hal Lockhart <hal.lockhart@oracle.com>
Date: Thu, 16 Aug 2012 10:17:21 -0700 (PDT)
To: Frederick.Hirsch@nokia.com, public-xmlsec@w3.org
Message-ID: <f2cdad8e-218f-4ed0-8df2-eadf7f4eee39@default>

+1

> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> Sent: Wednesday, August 15, 2012 3:09 PM
> To: public-xmlsec@w3.org
> Cc: Frederick.Hirsch@nokia.com
> Subject: Call for Consensus: Proposed algorithm change to XML
> Encryption 1.1 - Deadline 28 August
> 
> A] Issue: Security risks may be associated with RSA v1.5
> 
> B] Approach: Change RSA v1.5 to OPTIONAL with note warning
> implementations of security concerns.  Implementations allowed to
> implement (or not) depending on deployment tradeoffs needed for
> interoperability and security.
> 
> C] Specific Proposal:
> 
> All changes are proposed with respect to current XML Encryption 1.1
> editors draft at http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-
> 11/Overview.src.html
> 
> (1) Section 5.1.1 "Table of Algorithms", Key Transport section
> 
> Change  "1. Required RSA-v1.5" to "1. Optional RSA-v1.5 (see RSA-v1.5
> security note)"
> 
> "see RSA-v1.5 security note" is link to warning added to end of section
> 5.5.1 (see #3)
> 
> (2) Sections 5.2-5.9
> 
> Removed "Required"/"Optional" after all identifier algorithms in
> sections 5.2-2.9. Thus these designations only appear in section 5.1,
> Algorithm Identifiers and Implementation requirements. This reduces
> duplication and mirrors what we have done in XML Signature 1.1. This
> also has the effect of removing the "required" notation on RSA v1.5 in
> section 5.5.1
> 
> (3) 5.5.1 RSA Version 1.5
> 
> Add to end of section the following warning:
> 
> Note:  Implementation of RSA v1.5 is *not* recommended due to security
> risks associated with the algorithm.
> 
> D] Call for Consensus
> 
> This message is a Call for Consensus (CfC) to make the changes proposed
> and is sent as many group members are not on all teleconferences, yet
> we wish to include the entire group in the decision.
> Please respond to this message on the public list with a +1 for support
> or a message if there are any concerns with the change. Silence will be
> taken as agreement.  Please respond by 27 August.
> 
> Thanks
> 
> regards, Frederick
> 
> Frederick Hirsch, Nokia
> Chair XML Security WG
> 
> For tracker, this completes ACTION-898
> 
> 
>

Received on Thursday, 16 August 2012 17:17:55 UTC