RE: Request for a new SignatureMethod Algorithm Identifier in RFC 4051

Hi Konrad,

RFC 4051 says that no more URIs will be added under
http://www.w3.org/2001/04/xmldsig-more but earlier this year
http://www.w3.org/2007/05/xmldsig-more was explicitly allocated for
additions.

(RFC 4051: "it is not intended that any additional
"http://www.w3.org/2001/04/xmldsig-more#" URIs be created beyond those
enumerated in this document.")

I am in the process of producing an Internet Draft leading to an RFC to
replace RFC 4051 and will include
http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160 described as you
request.

Others on the mailing lists to which this is sent should note that this
is a good time to request other additions to the successor to RFC 4051.

Thanks,
Donald

====================================================
 Donald E. Eastlake 3rd      +1-508-786-7554 (work)
 Motorola Laboratories
 111 Locke Drive
 Marlborough, MA 01752 USA
 Donald.Eastlake@motorola.com


> -----Original Message-----
> From: Konrad Lanz [mailto:Konrad.Lanz@iaik.tugraz.at] 
> Sent: Monday, October 29, 2007 12:06 PM
> To: Eastlake III Donald-LDE008
> Cc: w3c-ietf-xmldsig@w3.org; XMLSec; Reinhard Posch; Herbert 
> Leitold; Peter Lipp
> Subject: Request for a new SignatureMethod Algorithm 
> Identifier in RFC 4051
> 
> Dear Donald Eastlake,
> 
> Giving the advances in SHA-1 collision search where first 
> collisions may
> be expected in even less than a year and given that national
> legislations explicitly require collision free hash functions and may
> exclude SHA-1 immediately after first collisions, alternatives in
> XMLDSIG are needed. In the ECDSA signature suites this is so 
> far limited
> to the SHA-2 family -- no SignatureMethod Algorithm URI exists.
> 
> As several widely deployed ECDSA solutions (e.g. smartcards) are
> technically limited to 160 bit hash functions where RIPEMD160 is the
> valid alternative, the risk exists that vendors or CAs are forced to
> deploy proprietary EDCSA-XMLDSIG -- RIPEMD160 solutions.
> 
> Therefore, an URI for ECDSA (ANSI X 9.62) with RIPMD160 is 
> urgently needed.
> 
> We suggest to use the fragment #ecdsa-ripemd160 to be used in the
> xmldsig-more namespace.
> 
> http://www.w3.org/2001/04/xmldsig-more#ecdsa-ripemd160
> 
> We further propose to add the following Sentence to
> http://tools.ietf.org/html/rfc4051#section-2.3.6 .
> 
> "The #ecdsa-ripemd160 fragment of this namespace identifies a 
> signature
> method processed in the same way as specified by the #ecdsa-sha1
> fragment of this namespace with the exception that RIPEMD160 is used
> instead of SHA-1."
> 
> kind regards
> 
> Konrad Lanz
> 
> -- 
> A-SIT
> 
> Konrad Lanz, IAIK/SIC - Graz University of Technology
> Inffeldgasse 16a, 8010 Graz, Austria
> Tel: +43 316 873 5547
> Fax: +43 316 873 5520
> https://www.iaik.tugraz.at/aboutus/people/lanz
> http://jce.iaik.tugraz.at
> 
> Certificate chain (including the EuroPKI root certificate):
> https://europki.iaik.at/ca/europki-at/cert_download.htm
> 

Received on Thursday, 8 November 2007 19:51:16 UTC