Re: FW: Re: rsa/oaep from Jiandong Guo on 2002-04-09 (xml-encryption@w3.org from April 2002)

From: Jiandong Guo <jguo@phaos.com>
Date: Tue, 09 Apr 2002 11:54:46 -0400
To: reagle@w3.org
CC: xml-encryption@w3.org
Message-ID: <3CB30EC6.7F4C4FD9@phaos.com>

Joseph,

I object to the change of the URI of RSA-OAEP for the following reasons.
First of all, the new URI "rsa-oaep-mgf1-sha1-p" is nearly as vague as the old one.

You still cannot see clearly if the "sha1" is for the hash function of the OAEP
encoding
or the hash function to be used in MGF1. The fact is that it is hard to represent
all the parameters of RSA-OAEP clearly in a single URI. So I really believe that it
is
enough to make it clear in the text of the recommendation. Secondly, at this stage,

there are already many exsiting implementations, and considerable effort has been
expended on interop. This change will cause a lot of confusion and breakage,
for what is primarily an aesthetic improvement. I don't think it is worthwhile to
do it.

Jiandong Guo
Phaos Technology
http://www.phaos.com

Joseph Reagle wrote:

> On Monday 08 April 2002 19:22, merlin wrote:
> > Does it need a new namespace? It's just deprecating an old ambiguous
> > algorithm URI and replacing it with a new, more explicit URI in the same
> > namespace. We're not changing the schema.
>
> I like the new algorithm-ID as well. (For my clarity, do you agree with the
> URI Donald proposed, with the "-p" on the end?) However, when we are in CR
> we have an obligation [a] not to cause existing implementations of that
> namespace to break with respect to application behaviour or invalidating
> existing syntax. You're right about the syntax, but we still have an
> obligation to return something if someone looks at the old URI. Either it
> should dereference to something saying it's deprecated, or continue to
> point to an older spec (and not the REC).
>
> [a] http://www.w3.org/1999/10/nsuri
>
> Consequently, I don't think we need to change the namespace of the whole
> spec. I think we have two decent solutions to choose from. (I prefer the
> first, so people know explicitly it is deprecated and it's less confusing.)
>
> (1) In the spec we say the following is deprecated:
>   http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
> and replaced by
>   http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1-sha1-p
>
> (2) Or we drop the old one from the spec all-together and replace it with a
> new one (notice the year/month change).
>   http://www.w3.org/2002/03/xmlenc#rsa-oaep-mgf1-sha1-p
>
> I've repsented option 1 in:
>
> http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/Overview.html#sec-RSA-OAEP
> new revision: 1.172

Received on Tuesday, 9 April 2002 12:10:09 UTC