XML Signature 1.1 updates from Frederick.Hirsch@nokia.com on 2012-09-03 (public-xmlsec@w3.org from September 2012)

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 3 Sep 2012 21:17:44 +0000
To: <public-xmlsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <15DA6C51-CE9F-4ABB-BC46-72653D486BFE@nokia.com>
I have updated the editor's draft of XML Signature 1.1 as follows:

1.  Key Length wording update

Updated key length security text for DSA and RSA algorithms. Changed DSA from REQUIRING 1024 bit verification to MAY to fix inconsistency in advice. This was for ACTION-906.

Changed section 6.4.1 DSA, please review last two paragraphs:

[[
Security considerations regarding DSA key sizes

Per FIPS 186-3 [FIPS-186-3<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-FIPS-186-3>], the DSA security parameter L is defined to be 1024, 2048 or 3072 bits and the corresponding DSA q value is defined to be 160, 224/256 and 256 bits respectively.

NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and 3072-bit keys are recommended for securing information beyond 2030. SP800-57 Part 1 states that DSA 1024-bit key sizes should not be used except to verify and honor signatures created using older legacy systems.

Since XML Signature 1.0 requires implementations to support DSA-based digital signatures, this XML Signature 1.1 revision allows verifiers to verify DSA signatures for DSA keys of 1024 bits in order to validate existing signatures. XML Signature 1.1 implementations may but are not required to support DSA-based signature generation. Given the short key size and SP800-57 guidelines, DSA with 1024-bit prime moduli should not be used to create signatures. DSA with 1024-bit prime moduli may be used to verify older legacy signatures, with an understanding of the associated risks. Important older signatures should be re-signed with stronger signatures.

]]

changed 6.4.2 RSA (PKCS#1 v1.5), please review the following:

[[

Security considerations regarding RSA key sizes

NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and 3072-bit keys are recommended for securing information beyond 2030.

All conforming implementations of XML Signature 1.1 must support RSA signature generation and verification with public keys at least 2048 bits in length. RSA public keys of 1024 bits or less should not be used to create new signatures but may be used to verify signatures created by older legacy systems. XML Signature 1.1 implementations must use at least 2048-bit keys for creating signatures, and should use at least 3072-bit keys for signatures that will be verified beyond 2030.

]]

changed reference but waiting for merge from Robin from git.

Also updated Security algorithms cross reference, section 3.1 DSA-SHA1, accordingly, but updating MUST to MAY to make consistent:

[[
Implementation of this algorithm is required in [XMLDSIG-CORE2002<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE2002>] and [XMLDSIG-CORE<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE>]. It is mandatory to implement in [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] for signature verification. [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] allows verification support for 1024 bit key legacy signatures, but requires that 1024 bit keys must not be used for new signatures.
]]

I also corrected the formatting of examples/schema in the document.

See http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html (refresh may be needed)

Please send any comments to public list.

regards, Frederick

Frederick Hirsch
Nokia

For Tracker this should complete ACTION-906 and ACTION-904 (for XML Signature 1.1)
Received on Monday, 3 September 2012 21:18:16 UTC