RE: [widget-digsig] proposed change to 7.1, common constraints, for algorithms

2009-03-19 Thread Frederick Hirsch 

Mark

I'll change the sentence to read

"The ds:Signature MUST be produced using a key of the recommended key  
length or stronger."


Probably should change term from "recommended key length" to "minimum  
key length".


Later when we update algorithms we probably should review whether we  
need key length defined for each algorithm but can defer for now.


Will this change of sentence work ?

Thanks

regards, Frederick

Frederick Hirsch
Nokia

(for some reason this message of yours did not reach my personal  
inbox, but it was on the list)


Hi Frederick, I agree with all of your changes with two comments. The  
sentence: "The Signature  MUST be produced using a key of the  
recommended key length  " is still problematic given that we allow (although discourage)  
key lengths less than the recommended key length, and probably don't  
want to rule out the use of longer keys. Suggest changing to: "The  
Signature SHOULD be produced using a key of the recommended key length  
 .  
The Signature MUST comply with Signature method algorithm requirements  
in the Algorithms section of this document" I also think we need to  
link recommended key length to algorithms now we allow other  
algorithms to be used, ie if ECDSA is used it would be OK to use  
shorter keys. Thanks, Mark _

RE: [widget-digsig] proposed change to 7.1, common constraints, for algorithms

2009-03-19 Thread Priestley, Mark, VF-Group 
Hi Frederick,
 
I agree with all of your changes with two comments. The sentence:
 
"The Signature  MUST be produced using a key of the recommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> "
 
is still problematic given that we allow (although discourage) key
lengths less than the recommended key length, and probably don't want to
rule out the use of longer keys. Suggest changing to:
 
"The Signature SHOULD be produced using a key of the recommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> .
The Signature MUST comply with Signature method algorithm requirements
in the Algorithms section of this document"
 
I also think we need to link recommended key length to algorithms now we
allow other algorithms to be used, ie if ECDSA is used it would be OK to
use shorter keys.
 
Thanks,
 
Mark




From: Frederick Hirsch [mailto:frederick.hir...@nokia.com] 
Sent: 18 March 2009 20:34
To: WebApps WG
Cc: Frederick Hirsch; Priestley, Mark, VF-Group; Marcos Caceres
    Subject: [widget-digsig] proposed change to 7.1, common
constraints, for algorithms




Mark 

One issue you raised was that we have MUSTS on algorithms in the
processing rules in section 7.1, but allow other algorithms in the
algorithm section with MAY. 

After our previous email exchange, I suggest the following
changes to section 7.1 in Widget Signature [1] to address this concern:

(1) Change item 3b from

The Algorithm attribute of the ds:digestMethod MUST be set to a
digest algorithm specified in the Algorithms section of this document.


to


The Algorithm attribute of the ds:digestMethod MUST comply with
the digest algorithm requirements specified in the Algorithms section of
this document.

(2) Change 5a from 


The Algorithm attribute of the ds:CanonicalizationMethod element
MUST be set to a Canonicalization method specified in the Algorithms
section of this document.


to


The Algorithm attribute of the ds:CanonicalizationMethod element
MUST comply with the Canonicalization method algorithm requirements
specified in the Algorithms section of this document.




(3) Change 5b from 


The ds:SignatureValue element MUST contain a signature generated
using a Signature method specified in the Algorithms section of this
document and MUST use a key that is of the length of arecommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> .


to


The Signature method algorithm used in the ds:SignatureValue
element MUST  comply with Signature method algorithm requirements in the
Algorithms section of this document. The Signature  MUST be produced
using a key of the recommended key length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> 




Does this change make sense? Do you have any suggestion or
comment?


Thanks for the careful review of the draft.


regards, Frederick

Frederick Hirsch
Nokia

[1] http://dev.w3.org/2006/waf/widgets-digsig/ 


[mp] While this is better I think it misses the fact
that we are
strongly recommending the use of certain algorithms. I
still like the
idea of including authoring (signing)
guidelines/recommendations, ie you
can sign your widget using any signature algorithm but
if you want it to
work across all W3C widget user agents use algorithm X.
Same sort of
thing for digest algorithm and key length. What do you
think?

[widget-digsig] proposed change to 7.1, common constraints, for algorithms

2009-03-18 Thread Frederick Hirsch 

Mark

One issue you raised was that we have MUSTS on algorithms in the  
processing rules in section 7.1, but allow other algorithms in the  
algorithm section with MAY.


After our previous email exchange, I suggest the following changes to  
section 7.1 in Widget Signature [1] to address this concern:


(1) Change item 3b from

The Algorithm attribute of the ds:digestMethod MUST be set to a digest  
algorithm specified in the Algorithms section of this document.


to

The Algorithm attribute of the ds:digestMethod MUST comply with the  
digest algorithm requirements specified in the Algorithms section of  
this document.


(2) Change 5a from

The Algorithm attribute of the ds:CanonicalizationMethod element MUST  
be set to a Canonicalization method specified in the Algorithms  
section of this document.


to

The Algorithm attribute of the ds:CanonicalizationMethod element MUST  
comply with the Canonicalization method algorithm requirements  
specified in the Algorithms section of this document.



(3) Change 5b from

The ds:SignatureValue element MUST contain a signature generated using  
a Signature method specified in the Algorithms section of this  
document and MUST use a key that is of the length of arecommended key  
length.


to

The Signature method algorithm used in the ds:SignatureValue element  
MUST  comply with Signature method algorithm requirements in the  
Algorithms section of this document. The Signature  MUST be produced  
using a key of the recommended key length



Does this change make sense? Do you have any suggestion or comment?

Thanks for the careful review of the draft.

regards, Frederick

Frederick Hirsch
Nokia

[1] http://dev.w3.org/2006/waf/widgets-digsig/


[mp] While this is better I think it misses the fact that we are
strongly recommending the use of certain algorithms. I still like the
idea of including authoring (signing) guidelines/recommendations, ie  
you
can sign your widget using any signature algorithm but if you want  
it to

work across all W3C widget user agents use algorithm X. Same sort of
thing for digest algorithm and key length. What do you think?