[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SHA-1 vs. SHA-2/SHA-3/etc.?
On 2/5/14, 8:24 AM, "Szabó Áron" <email@example.com> wrote: > >last year I asked some questions in connection with switching from core >XMLDSIG message structure to extended XMLDSIG one (which is called XAdES >and published by ETSI). That time this suggestion was rejected. It was >reasonable and we could accept it. But there is still a point which is >hardcoded in the SAML v2.0 standard and can cause problems: the set of >acceptable crypto algorithms. That is incorrect. There is no such requirement, except where conformance is concerned. This is a problem essentially across all standards, nobody has the ability to maintain conformance statements across the changing landscape of algorithms. SAML itself doesn't care and the standard defers to XML Signature for algorithm support. The caveat is that technically the standard refers to XML Signature 1.0 but in practice this means nothing, as 1.1 is fully compatible with 1.0. >Based on the SAML v2.0, we can just use RSA+SHA-1 signature method >(http://www.w3.org/2000/09/xmldsig#rsa-sha1). The digest method is not >mentioned in the standard, but the sample contains just the URI of SHA-1 >(http://www.w3.org/2000/09/xmldsig#sha1). You can use any algorithm you like. The SHOULD is a conformance statement about what implementations have to support, not about what the standard requires. -- Scott