Re: W3C Encryption Support for DES, RC2, and RC4 Symmetric Encryptio n Algorithms from Tom Gindin on 2002-06-19 (xml-encryption@w3.org from June 2002)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Wed, 19 Jun 2002 08:11:49 -0400
To: Donald Eastlake 3rd <dee3@torque.pothole.com>
Cc: "Ahmed, Zahid" <zahid.ahmed@commerceone.com>, "'reagle@w3.org'" <reagle@w3.org>, "'xml-encryption@w3.org'" <xml-encryption@w3.org>, "'blaird@microsoft.com'" <blaird@microsoft.com>, "Takeshi Imamura" <IMAMU@jp.ibm.com>, "Sanfilippo, Joe" <joe.sanfilippo@commerceone.com>
Message-ID: <OFDACFB633.D2074E02-ON85256BDD.004215AC@pok.ibm.com>

      Don:

      Not all the missing algorithms are weak ones.  The entire class of
password-based encryption algorithms are not defined.  Admittedly, there's
no reason to make them mandatory to support, nor to define everything in
sight (I've catalogued 15 PKCS#5 or PKCS#12 variants using SHA-1 as their
digest, before AES came out), but a few of them would probably help.  I
would suggest pkcs-12-PBEWithSha1AndTripleDESCBC and
pbeWithSHAAnd3-KeyTripleDES-CC (see PKCS#12 section 6.3) for a start.

            Tom Gindin

Donald Eastlake 3rd <dee3@torque.pothole.com>@w3.org on 06/19/2002 12:14:55
AM

Sent by:    xml-encryption-request@w3.org


To:    "Ahmed, Zahid" <zahid.ahmed@commerceone.com>
cc:    "'reagle@w3.org'" <reagle@w3.org>, "'xml-encryption@w3.org'"
       <xml-encryption@w3.org>, "'blaird@microsoft.com'"
       <blaird@microsoft.com>, Takeshi Imamura/Japan/IBM@IBMJP,
       "Sanfilippo, Joe" <joe.sanfilippo@commerceone.com>
Subject:    Re: W3C Encryption  Support for DES, RC2, and RC4 Symmetric
       Encryptio  n Algorithms



There is already one encryption algorithm in
ftp://ftp.ietf.org/internet-drafts/draft-eastlake-xmldsig-uri-02.txt

I suppose I could add some more.

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3@torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake@motorola.com

On Tue, 18 Jun 2002, Ahmed, Zahid wrote:

> Date: Tue, 18 Jun 2002 16:29:07 -0700
> From: "Ahmed, Zahid" <zahid.ahmed@commerceone.com>
> To: "'reagle@w3.org'" <reagle@w3.org>,
>      "'dee3@torque.pothole.com'" <dee3@torque.pothole.com>,
>      "'xml-encryption@w3.org'" <xml-encryption@w3.org>
> Cc: "'blaird@microsoft.com'" <blaird@microsoft.com>,
>      "'IMAMU@jp.ibm.com'" <IMAMU@jp.ibm.com>,
>      "Sanfilippo, Joe" <joe.sanfilippo@commerceone.com>
> Subject: W3C Encryption  Support for DES, RC2,
>      and RC4 Symmetric Encryptio n Algorithms
>
> Reviewing the latest XML Encryption Candidate Recommendation spec, it
seems
> that only
> following symmetric encryption algorithms are required:
> 1) AES/CBC (128-bit, 192-, and 256-bits)
> 2) Triple-DES/CBC are required in XML Encryption implementations.
>
> However, we are curious if there are any plans to also the option to
support
> other
> encryption algorithms such as: DES, RC2 (56- and 128-bit), and RC4 (56-
and
> 128-bit).
>
> I understand the propensity of avoiding the usage of weak encryption
> algorithms,
> but there may be some scenarious where this may be useful, e.g.,
> compatibility
> with PKCS7/SMIME encryption which has similar support or siutations where
> encryption exports from US requires weaker encryption option. Now, we do
> understand that XML Encryption implementatiln providers could expose the
> use of such encryption alogirthms and key-lengths, but we would need
> standardized support for the relevant URIs for DES, RC2, and RC4 to
ensure
> interoperability of the relevant URIs that define these additional
> encryption options.
>
> thanks,
> Zahid
>
>
>

Received on Wednesday, 19 June 2002 08:12:26 UTC