[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: 17 August Action Item - MTI security algorithms
Enclosed is a proposed resolution to the action item from the 17 August 2004 SSTC call: "Frederick to identify MTI algorithms for signature and encryption and determine where to capture it" Basically the resolution is to make explicit the mandated algorithms in XML Digital Signature and XML Encryption, with the exception of also requiring the RSAwithSHA1 Signature algorithm. Not clear if we need to require DSAwithSHA1, but XML Sig requires it. Proposed text states that SAML does not require it but the XML Signature does (i.e. we should expect interoperability through RSAwithSHA1). Is this a reasonable approach? I propose we add the following text to the Conformance Requirements draft as a new section 3.4. If we add additional statements about XML Encryption or XML Signature, they can also go in this section. Proposed text: ----- 3.4 XML Digital Signature and XML Encryption SAML 2.0 uses XML Digital Signature [XMLDsig] to implement XML signing and encryption functionality for integrity, and source authentication. SAML 2.0 uses XML Encryption (XMLEnc] to implement confidentiality, including encrypted identifiers, encrypted assertions, and encrypted attributes. 3.4.1 XML Signature Algorithms XML Signature mandates use of the following algorithms in section 6.1, therefore they MUST be implemented by compliant SAML 2.0 implementations: Digest: SHA1 MAC: HMAC-SHA1 XML Canonicalization: CanonicalXML (Without comments), Transform: Enveloped Signature In addition, to enable interoperability, the following MUST be implemented by compliant SAML 2.0 implementations: Signature: RSAwithSHA1 (recommended in Dsig but needed for interoperability) XML Canonicalization: Exclusive Canonicalization Although XML Digital Signature mandates the DSAwithSHA1 signature algorithm, it is not required by SAML 2.0, but is recommended. 3.4.2 XML Encryption Algorithms XML Encryption mandates use of the following algorithms in sections 5.2.1 and 5.2.2, therefore they MUST be implemented by compliant SAML 2.0 implementations: Block Encryption: TRIPLE DES, AES-128, AES-256. Key Transport: RSA-v1.5, RSA-OAEP ------- Also add the following to the Conformance Requirements document references section (at the end): [XMLEnc] Donald Eastlake et al., XML Encryption Syntax and Processing, http://www.w3.org/TR/xmlenc-core/, World Wide Web Consortium, December 2002. [XMLSig] Donald Eastlake et al., XML-Signature Syntax and Processing, http://www.w3.org/TR/xmldsig-core/, World Wide Web Consortium, 12 February 2002. Regards, Frederick Frederick Hirsch Nokia
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]