[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-brsp] Current status, and BSP issue
Dear all, Here is some input for today's meeting on SHA1, summarizing the issues and potential solutions. First of all, there are (apart from Jacques' proposal, which is more a short term "quick fix") two options to address the SHA1 issue for the cases in 9.6.1 and 9.7.1 (see email below): 1) Generalizing the recommendation to reference the W3C recommendations instead of mentioning specific values. 2) Upgrading some references to algorithms based on SHA256 (which is the minimal recommendation as of 2014). Second and more problematic are dependencies on other standards that have SHA1 hard-wired: 1) Section 13.2.6 mentions http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1, which is defined in WS-Security SOAP Message Security [1]. 2) Section 15.2.2 mentions http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1 which is defined in the WS-Security Kerberos profile [2]. (Actually, BSP 15.2.2 has a typo: "tokenprofile" instead of "token-profile"). These two referenced specifications do not include identifiers for SHA-256-based (or better) variants of these algorithms. This is an issue for the WSS-M TC, which unfortunately has been inactive since July 2012 .. A separate third issue for implementations is that upgrading some algorithms, e.g. from RSA-SHA1 to RSA-SHA256, may be problematic for security toolkits that can only be configured using WS-SecurityPolicy, as that specification only supports RSA-SHA1. This is also not an issue for this WS-BRSP TC but rather for the WS-SX TC. I raised this on their mailing list [3], but that TC also seems to be no longer active. Kind Regards, Pim van der Eijk [1] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SOAPMessageSecurity-v1.1.1-os.html [2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-KerberosTokenProfile-v1.1.1-os.html [3] https://lists.oasis-open.org/archives/ws-sx/201401/msg00000.html On 03/20/2014 06:28 PM, Pim van der
Eijk wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]