OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-m message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SHA-256 and RSA-SHA256



Dear all,

The WS-BRSP TC is discussing the references to/recommendations for SHA-1
in the BSP,  and is considering a number of options.  One of these
options is to update the BSP and change the recommendations to reference
algorithms consistent with current recommendations from security/
cryptography experts e.g. to SHA-256 for hashing and RSA-SHA256
for signing.

https://lists.oasis-open.org/archives/ws-brsp/201405/msg00007.html

In this context it is relevant to know whether existing Web Services
stacks have been tested for interoperability using these algorithms, or
whether new test runs for BSP would be needed to verify the
interoperability of implementations using these algorithms.  A customer
project I am involved in is looking at interoperability testing of a
profile of AS4 (a separate OASIS Standard that uses WS-Security) that uses
SHA-256 and RSA-SHA256, and so far this seems to work for the participating
products.   But more evidence from multiple WS-Security implementations
would be appreciated.    Some other references below and in:

https://lists.oasis-open.org/archives/ws-brsp/201405/msg00002.html

If you have any information, comments or suggestions,  please contact me
(via the list,  or directly by email).
Message will be cross-posted to some lists,  apologies for duplicates.

Kind Regards,

Pim van der Eijk



On 01/20/2014 11:16 AM, Pim van der Eijk wrote:


Dear all,
Security best practices indicate that SHA1 should be replaced by safer algorithms like SHA256. Some WS security toolkits currently are unable to sign messages using the newer http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 algorithm, this is explained by references that WS-SecurityPolicy currently supports the http://www.w3.org/2000/09/xmldsig#rsa-sha1 signature algorithm. For example https://issues.apache.org/jira/browse/RAMPART-216and some references in 
https://lists.oasis-open.org/archives/wss-dev/201311/msg00005.html.
Would support for http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 in WS-SecurityPolicy require a new version? If so, is any such new version under consideration? 

Kind Regards,

Pim van der Eijk




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: 
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]