Re: Last Call for "XML Encryption 1.1", "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" to end this Thursday 16 Feb

On 2/13/12 10:23 PM, "Magnus Nystrom" <mnystrom@microsoft.com> wrote:

>Personally I believe GCM is the better long-term choice, I view RFC 6476
>as a pragmatic solution but essentially a stop-gap. I cannot tell if
>there is the possibility of a timing attack and this alone makes me
>concerned.  Additionally, if XML Sec 1.1 requires GCM I expect to see
>uptake of that mode.

OpenSSL isn't going to support GCM sooner because of XML specs. It's
effectively off the table for me for a decade thanks to RH6 unless I
implement it from scratch myself. I don't think non-cryptographers like me
implementing algorithms outside the core libraries like OpenSSL is really
a direction that leads to better security outcomes.

>Finally, I'd really (like all of us, I think) like to see this effort
>reach the goal line and if we keep doing modifications I fear that we'll
>just move it out even further.

I have no expectation of supporting it with GCM, so for me it's moot when
it happens to complete.

I also am not seeing any sign that GCM is going to be the initial solution
for the JOSE work, for essentially the same reason. Lots of scripty
implementations of things use OpenSSL underneath, so they're hobbled by
the same limitation I am.

-- Scott

Received on Tuesday, 14 February 2012 03:39:25 UTC