OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: 17 August Action Item - MTI security algorithms


Enclosed is a proposed resolution to the action item from the 17 August
2004 SSTC call:
"Frederick to identify MTI algorithms for signature and encryption and
determine where to capture it"

Basically the resolution is to make explicit the mandated algorithms in
XML Digital Signature and XML Encryption, with the exception of also
requiring the RSAwithSHA1 Signature algorithm.

Not clear if we need to require DSAwithSHA1, but XML Sig requires it.
Proposed text states that SAML does not require it but the XML Signature
does (i.e. we should expect interoperability through RSAwithSHA1). Is
this a reasonable approach?

I propose we add the following text to the Conformance Requirements
draft as a new section 3.4.
If we add additional statements about XML Encryption or XML Signature,
they can also go in this section.

Proposed text:
-----

3.4 XML Digital Signature and XML Encryption

SAML 2.0 uses XML Digital Signature [XMLDsig] to implement XML signing
and encryption functionality for integrity, and source authentication.
SAML 2.0 uses XML Encryption (XMLEnc] to implement confidentiality,
including encrypted identifiers, encrypted assertions, and encrypted
attributes.

3.4.1 XML Signature Algorithms

XML Signature mandates use of the following algorithms in section 6.1,
therefore they MUST be implemented by compliant SAML 2.0
implementations:

Digest: SHA1 
MAC: HMAC-SHA1 
XML Canonicalization: CanonicalXML (Without comments), 
Transform: Enveloped Signature

In addition, to enable interoperability, the following MUST be
implemented by compliant SAML 2.0 implementations:

Signature: RSAwithSHA1 (recommended in Dsig but needed for
interoperability)
XML Canonicalization: Exclusive Canonicalization

Although XML Digital Signature mandates the DSAwithSHA1 signature
algorithm, it is not required by SAML 2.0, but is recommended. 

3.4.2 XML Encryption Algorithms

XML Encryption mandates use of the following algorithms in sections
5.2.1 and 5.2.2, therefore they MUST be implemented by compliant SAML
2.0 implementations:

Block Encryption: TRIPLE DES, AES-128, AES-256.
Key Transport: RSA-v1.5, RSA-OAEP

-------
Also add the following to the Conformance Requirements document
references section (at the end):

[XMLEnc]	Donald Eastlake et al., XML Encryption Syntax and
Processing,
http://www.w3.org/TR/xmlenc-core/, World Wide Web Consortium, December
2002.

[XMLSig] Donald Eastlake et al., XML-Signature Syntax and Processing,
http://www.w3.org/TR/xmldsig-core/, World Wide Web Consortium, 12
February 2002.


Regards, Frederick 
Frederick Hirsch
Nokia








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]