So what about option #2 below? -AB
On 12/14/11 2:00 PM, Hirsch Frederick (Nokia-CIC/Boston) wrote:
Art
I think switching the dependency to XML Signature 1.0 is a bad idea, noting
that 1.1 has fixed errors, and addressed security vulnerabilities, including
updates to algorithms (other than ecc) to address known weaknesses.
details in http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/explain.html,
5.1, 5.5.1, 5.8, 6.6-6.8
I think the W3 team is actively working on the PAG issue but have no idea when
we will see the result - one hope was before year end.
regards, Frederick
Frederick Hirsch
Nokia
On Dec 13, 2011, at 1:14 PM, Arthur Barstow wrote:
Hi All,
The Widgets DigSig spec [W-DigSig] has been sitting in PR for over 4 months
now, blocked on the Elliptic Curve PAG [ECC-PAG]. AFAICT, this PAG has just
started its unspecified length Fishing Expedition seeking some unspecified
level of funds to pay for some type of analysis that will take some unknown
amount of time to complete ...
Given this, and not wanting to block on the ECC PAG any longer, what are the
options to move widgets-digsig to REC ASAP?
Some options:
1. Replace [XMLSig1.1] dependency with XMLSig 1.0. I presume this would require a
new 3-week LC but the CR could be zero-length, presumably no re-testing would be
required, and the only thing blocking PR->REC is the length of the new CfE that
would be needed.
2. Move the tainted algorithm(s) in XMLSig1.1 to XMLSig1.Next so XMLSig1.1 is
not affected by the PAG and XMLSig1.1 can then continue on the REC track.
3. Others?
(#2 seems dead simple so I'm probably missing some things.)
-AB
[W-DigSig] http://www.w3.org/TR/widgets-digsig/
[XMLSig1.1] http://www.w3.org/TR/xmldsig-core1/
[ECC-PAG] http://www.w3.org/2011/02/xmlsec-pag-charter.html
