OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ebxml-msg] [OASIS Issue Tracker] Commented: (EBXMLMSG-45) PMode parameter for Key Transport algorithm

I got feedback from a vendor involved in two interoperability tests, they support “http://www.w3.org/2001/04/xmlenc#rsa-1_5”;, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”; and http://www.w3.org/2009/xmlenc11#rsa-oaep”; and it is a configurable option so they can switch between the three. They find that their partner systems are often very picky about the algorithm. When testing against one vendor, they had to use http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”;, otherwise security processing would fail on the partner side (I don’t know if they can configure the algorithm or if it is a problem in the software) and when doing dome tests with another vendor, they had to use http://www.w3.org/2001/04/xmlenc#rsa-1_5”;.

(The OASIS JIRA doesn't let me log in, will update the issue once it does)

On 02/17/2014 06:11 PM, OASIS Issues Tracker wrote:
     [ http://tools.oasis-open.org/issues/browse/EBXMLMSG-45?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=36589#action_36589 ]

Pim van der Eijk commented on EBXMLMSG-45:

According to http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/#sec-RSA-OAEP,  if the value for the key transport algorithm is http://www.w3.org/2009/xmlenc11#rsa-oaep then two other algorithms can be specified:

1) Mask generation function, with values like http://www.w3.org/2009/xmlenc11#mgf1sha256. Default is http://www.w3.org/2009/xmlenc11#mgf1sha1.

2) Key transport message digest function, with values like http://www.w3.org/2001/04/xmlenc#sha256.  Default is http://www.w3.org/2000/09/xmldsig#rsa-sha1.

In both cases the defaults are discouraged.

This would mean three new parameters.

PMode parameter for Key Transport algorithm

                 Key: EBXMLMSG-45
                 URL: http://tools.oasis-open.org/issues/browse/EBXMLMSG-45
             Project: OASIS ebXML Messaging Services TC
          Issue Type: Improvement
          Components: Core Spec
            Reporter: Pim van der Eijk

For encryption,  the core specification currently has a PMode PMode[1].Security.X509.Encryption.Algorithm which identifies "the encryption algorithm to be used" based on W3C XML Encryption algorithm identifiers.
XML Encryption actually distinguishes two algorithms:
xenc:EncryptedData / xenc:EncryptionMethod / @Algorithm
The value is an identifier of a block encryption algorithm like http://www.w3.org/2001/04/xmlenc#aes128-cbc or http://www.w3.org/2001/04/xmlenc#tripledes-cbc.
xenc:EncryptedKey / xenc:EncryptionMethod / @Algorithm
The value is an identifier of an algorithm used for Key Transport.  XML encryption currently recommends http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p,  commonly used values include http://www.w3.org/2001/04/xmlenc#rsa-1_5.
I assume the PMode parameter identifies the first use.  There does not seem to be a parameter for the second one?  When using WS-SecurityPolicy, it would be needed to select the correct policy,  e.g. Basic128Sha256 versus Basic128Sha256Rsa15.
(This is not to promote WS-SecurityPolicy,  the ebMS3 approach of directly using the W3C Signature and Encryption parameters is actually more future-proof than WS-SecurityPolicy's identifiers,  just to note that some implementers of ebMS3 will use security toolkits that are configured using WS-SecurityPolicy).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]