W3C

Disposition of comments for the XML Security Working Group

Single page view

In the table below, red is in the WG decision column indicates that the Working Group didn't agree with the comment, green indicates that a it agreed with it, and yellow reflects an in-between situation.

In the "Commentor reply" column, red indicates the commenter objected to the WG resolution, green indicates approval, and yellow means the commenter didn't respond to the request for feedback.

CommentorCommentWorking Group decisionCommentor reply
LC-2594 Cantor, Scott <cantor.2@osu.edu> (archived comment)
In this section:
http://www.w3.org/TR/xmlenc-core1/Overview.html#sec-bleichenbacher-attack

Reference to RFC 3218 is mis-stated as 3281.
Replace 3281 with 3218 in text yes
LC-2581 MURATA Makoto <eb2m-mrt@asahi-net.or.jp> (archived comment)
The schema fragment in 5.5.2 RSA-OAEP in Encryption 1.1 is
confusing. This fragment contains two element declarations,
namely


   <element name="OAEPparams" minOccurs="0" type="base64Binary"/>


and


   <element name="MGF" type="xenc11:MGFType"/>


.


The reader is likely to assume that they belong to the same schema
and thus the same namespaces.  However, OAEPparams belongs to
the namespace for XML Encryption 1.0, while MGF belongs to that
for 1.1.


It should be made clear that these two declarations occur in different
schemas.
http://lists.w3.org/Archives/Public/public-xmlsec/2012Jan/0019.html


To address this concern, I've updated the XML Encryption 1.1 editor's draft RSA-OAEP section 5.5.2, http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html#sec-RSA-OAEP

to contain the following:

[[


The XML Encryption 1.0 schema definition and description for the EncryptionMethod element is in section 3.2 The EncryptionMethod Element<http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.html#sec-EncryptionMethod>. The following shows the XML Encryption 1.1 addition for the MGF type:

Schema Definition:

<element name="MGF" type="xenc11:MGFType"/>
<complexType name="MGFType">
<complexContent>
<restriction base="xenc11:AlgorithmIdentifierType">
<attribute name="Algorithm" type="anyURI" use="required" />
</restriction>
</complexContent>
</complexType>


]]

instead of the original that was less clear:

[[

Schema Definition:
<!-- use these element types as children of EncryptionMethod
when used with RSA-OAEP -->
<element name="OAEPparams" minOccurs="0" type="base64Binary"/>
<element ref="ds:DigestMethod" minOccurs="0"/>
<element name="MGF" type="xenc11:MGFType"/>
<complexType name="MGFType">
<complexContent>
<restriction base="xenc11:AlgorithmIdentifierType">
<attribute name="Algorithm" type="anyURI" use="required" />
</restriction>
</complexContent>
</complexType>

]]
yes

Developed and maintained by Dominique Hazaël-Massieux (dom@w3.org).
$Id: index.html,v 1.1 2017/08/11 06:45:32 dom Exp $
Please send bug reports and request for enhancements to w3t-sys.org