oops, wrong explain, instead see http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/explain.html 6.1, 6.2*, 6.3.1, 6.4.2 (e.g. move away from SHA-1)
regards, Frederick Frederick Hirsch Nokia On Dec 14, 2011, at 2:00 PM, Hirsch Frederick (Nokia-CIC/Boston) wrote: > Art > > I think switching the dependency to XML Signature 1.0 is a bad idea, noting > that 1.1 has fixed errors, and addressed security vulnerabilities, including > updates to algorithms (other than ecc) to address known weaknesses. > > details in http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/explain.html, > 5.1, 5.5.1, 5.8, 6.6-6.8 > > I think the W3 team is actively working on the PAG issue but have no idea > when we will see the result - one hope was before year end. > > regards, Frederick > > Frederick Hirsch > Nokia > > > > On Dec 13, 2011, at 1:14 PM, Arthur Barstow wrote: > >> Hi All, >> >> The Widgets DigSig spec [W-DigSig] has been sitting in PR for over 4 months >> now, blocked on the Elliptic Curve PAG [ECC-PAG]. AFAICT, this PAG has just >> started its unspecified length Fishing Expedition seeking some unspecified >> level of funds to pay for some type of analysis that will take some unknown >> amount of time to complete ... >> >> Given this, and not wanting to block on the ECC PAG any longer, what are the >> options to move widgets-digsig to REC ASAP? >> >> Some options: >> >> 1. Replace [XMLSig1.1] dependency with XMLSig 1.0. I presume this would >> require a new 3-week LC but the CR could be zero-length, presumably no >> re-testing would be required, and the only thing blocking PR->REC is the >> length of the new CfE that would be needed. >> >> 2. Move the tainted algorithm(s) in XMLSig1.1 to XMLSig1.Next so XMLSig1.1 >> is not affected by the PAG and XMLSig1.1 can then continue on the REC track. >> >> 3. Others? >> >> (#2 seems dead simple so I'm probably missing some things.) >> >> -AB >> >> [W-DigSig] http://www.w3.org/TR/widgets-digsig/ >> [XMLSig1.1] http://www.w3.org/TR/xmldsig-core1/ >> [ECC-PAG] http://www.w3.org/2011/02/xmlsec-pag-charter.html >> >
