OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SHA-1 vs. SHA-2/SHA-3/etc.?

On 2/5/14, 8:24 AM, "Szabó Áron" <baronsz@freemail.hu> wrote:
>last year I asked some questions in connection with switching from core
>XMLDSIG message structure to extended XMLDSIG one (which is called XAdES
>and published by ETSI). That time this suggestion was rejected. It was
>reasonable and we could accept it. But there is still a point which is
>hardcoded in the SAML v2.0 standard and can cause problems: the set of
>acceptable crypto algorithms.

That is incorrect. There is no such requirement, except where conformance
is concerned. This is a problem essentially across all standards, nobody
has the ability to maintain conformance statements across the changing
landscape of algorithms.  SAML itself doesn't care and the standard defers
to XML Signature for algorithm support.

The caveat is that technically the standard refers to XML Signature 1.0
but in practice this means nothing, as 1.1 is fully compatible with 1.0.

>Based on the SAML v2.0, we can just use RSA+SHA-1 signature method
>(http://www.w3.org/2000/09/xmldsig#rsa-sha1). The digest method is not
>mentioned in the standard, but the sample contains just the URI of SHA-1

You can use any algorithm you like. The SHOULD is a conformance statement
about what implementations have to support, not about what the standard

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]