- From: Joseph Reagle <reagle@w3.org>
- Date: Fri, 1 Apr 2005 10:19:29 -0500
- To: jose.kahan@w3.org
- Cc: w3c-ietf-xmldsig@w3.org
On Wednesday 30 March 2005 09:44, Jose Kahan wrote: > For SHA-1, can this be done just with errata or do we need > to do a new edition of the spec? This is a serious problem, but I don't think this is a mistake of the specification itself, or should be substantively addressed in the errata document. We could pointed out as an informational item, though I expect for anyone who cares, they would know. When I left, the W3C Recommendation updating/revision/errata process was being hammered out -- and I thought it might even be getting too formal -- so I don't know if there is now a sense of how this problem should be addressed. In particular, I doubt many of the other W3C specifications that had this sort of security concern. What is the IETF doing? Is there some policy there on how to update specifications that are dependent on algorithms that are now considered weak? Or, instead of revising the whole of the specification, we could go Rich's route and post a new small specification, though I think it should be a recommendation rather than a note if it has any compliance claims. > I know that PGP support in XML-DSIG is underspecified, it would > be good to complete it, if possible with errata or with a note. That has always been a "it would be nice" but no one ever stepped up to the plate. Even the open source XMLsec library never implemented it. (Though these folks seem to have had some experience: http://giftfile.org/lists/archive/giftfile-dev/2004q4/000002.html ) If substantive work or to be started again I would be more concerned with questions of integrating the existing errata, updating some of the algorithm references for security, and addressing some of the shifts in the XML landscape (i.e., InfoSet, XPath 2.0), outlined in: http://www.w3.org/2002/02/xmlsec-horizon
Received on Friday, 1 April 2005 15:19:24 UTC