OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: WS-Security Signing Standards

Thanks Jeff – I assume it is therefore advisable to reference the XML Namespaces to confirm the validity of the current WSS standard rather than the standard itself?

 

 

--

Rob Mason
07770 578764

 

 

From: Krug, Jeff [mailto:Jeff.Krug@gtri.gatech.edu]
Sent: 13 February 2017 13:46
To: Mason Rob (HOB); wss-comment@lists.oasis-open.org
Subject: Re: WS-Security Signing Standards

 

XML-DSIG has been updated given the concerns related to SHA1 that have arisen in the last 6+ years, where it's basically considered to be obsolete now (for security related purposes), but there are dozens if not hundreds of older specs that reference / rely on XML-DSIG that have not been updated, so they are just out of date with regards to the recommended algorithms to use.  

 

 

 

From: Mason Rob (HOB) <RobertNeil.Mason3@homeoffice.gsi.gov.uk>
Sent: Monday, February 13, 2017 4:55 AM
To: wss-comment@lists.oasis-open.org
Subject: [wss-comment] WS-Security Signing Standards

 

Good Morning,

 

I am writing on behalf of my project team regarding a possible discrepancy in the published WS-Security standards:

 

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826550

 

Section 6 defines RSAwithSHA1 as the required signing standard.  The XML Namespace referred by WSS (XML namespace defined at http://www.w3.org/TR/xmldsig-core1/#sec-Algorithms) requires RSA-SHA256 and discourages RSA-SHA1.

 

Is this a known contradiction within the current standard definitions?

 

Thanks

 

 

--

Rob Mason

 

**********************************************************************
This email and any files transmitted with it are private and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please return it to the address
it came from telling them it is not for you and then delete it from your system.
This email message has been swept for computer viruses.

**********************************************************************

**********************************************************************


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]