OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

camp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Created: (CAMP-102) 4.1.2 Validating Integrity

4.1.2 Validating Integrity
--------------------------

                 Key: CAMP-102
                 URL: http://tools.oasis-open.org/issues/browse/CAMP-102
             Project: OASIS Cloud Application Management for Platforms (CAMP) TC
          Issue Type: Bug
          Components: Public Review
            Reporter: Gilbert Pilz


Patrick Durusau submitted the following PR comment (https://lists.oasis-open.org/archives/camp-comment/201309/msg00046.html):

The first paragraph of 4.1.2 Validating Integrity reads:

*****
A PDP MAY contain a manifest file, named camp.mf, at the root of the
archive. [PDP-06] This file contains SHA256 [SHA256] digests of some
or all files in the package. A Provider SHOULD reject a PDP if any
digest listed in the manifest does not match the computed digest for
that file in the package. [PDP-07]
*****

I take the implication of:

"This file contains SHA256 [SHA256] digests of some or all files in
the package."

to be that a manifest file contains only SHA256 digests.

And any PDF with a listed digest that does not match a computed SHA256
digest for a file in the package should be rejected.

Yes?

The reason I ask is that 6.1 Transfer Protocol:

*****
TLS 1.1 [RFC4346] SHALL be implemented by the Provider. [PR-41] TLS
1.2 [RFC5246] is RECOMMENDED.[PR-42] When TLS is implemented, the
following cipher suites are RECOMMENDED to ensure a minimum level of
security and interoperability between implementations:

 TLS_RSA_WITH_AES_128_CBC_SHA (mandatory for TLS 1.1/1.2) [PR-43]

 TLS_RSA_WITH_AES_256_CBC_SHA256 (addresses 112-bit security strength
requirements)
   [PR-44]
*****

may cause some confusion.

True, one requirement is for transport and the other for digests but
why permit a weaker transport protocol than is used for digests?

Second, my bad on my RFC 4346 comment yesterday in not noticing it has
been obsoleted by RFC5246. Obsolete RFCs should not be used as
normative references. I will supplement that comment.

BTW, SHA-3 is in the process of being published, as your encryption
specialists already know: http://www.nist.gov/itl/csd/sha-100212.cfm


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]