Copyright
©
2011
©
2012
W3C
®
®
(
MIT
,
ERCIM
,
Keio
),
All
Rights
Reserved.
W3C
liability
,
trademark
and
document
use
rules
apply.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This Working Draft of "XML Security Algorithm Cross-Reference" is intended to become a W3C Note.
A
diff-marked
version
Changes
since
the
last
publication
of
this
specification
that
highlights
changes
against
the
previous
version
draft
is
available.
Major
include
the
following
changes
in
this
version:
(see
redline
):
This document was published by the XML Security Working Group as a Working Draft. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org ( subscribe , archives ). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy . The group does not expect this document to become a W3C Recommendation. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .
The various XML Security specifications have defined a number of algorithms of various types, while allowing and expecting additional algorithms to be defined later. Over time, these identifiers have been defined in a number of different specifications, including XML Signature, XML Encryption, RFCs and elsewhere.
This makes it difficult for users of the XML Security specifications to know whether and where a URI for an algorithm of interest has been defined, and can lead to the use of incorrect URIs. The purpose of this Note is to collect the various known URIs at the time of its publication and indicate the specifications in which they are defined in order to avoid confusion and errors.
This note is not intended as an exhaustive list of all known related identifiers, some of which may have been defined by other standards or specifications. Furthermore, this note is not to be taken as normative regarding the information provided; if information here conflicts with the referenced specification, the specification takes precedence in all cases.
The
architecture
of
the
XML
Security
specifications
distinguishes
between
the
(universally
useful)
identifiers
for
algorithms
and
the
roles
that
these
algorithms
can
take.
Roles
are
identified
through
elements
like
ds:SignatureMethod
,
ds:DigestMethod
,
ds:CanonicalizationMethod
,
or
ds:Transform
,
whereas
the
algorithms
are
identified
through
URIs.
Explicit
parameters
for
the
respective
algorithms
are
transmitted
in
child
elements
of
the
role
element.
This note indicates explicitly whether an algorithm is mandatory or recommended in other specifications. If nothing is said, then readers should assume that support for the algorithms given is optional.
This specification uses the following XML namespace prefixes:
ds
http://www.w3.org/2000/09/xmldsig#
xenc
http://www.w3.org/2001/04/xmlenc#
dsig11
http://www.w3.org/2009/xmldsig11#
dsigmore
http://www.w3.org/2001/04/xmldsig-more#
Algorithm URIs have been coined in a variety of namespaces, and are always given in full.
The
algorithms
listed
in
this
section
are
typically
used
in
the
signature
algorithm
role,
identified
through
the
ds:SignatureMethod
role
element
(
[
XMLDSIG-CORE
]
,
section
4.3.2).
Each
signature
method
takes
an
octet-stream
as
input,
and
produces
a
signature
value
(an
octet-stream
that
is
always
base64
encoded,
see
section
4.2
of
[
XMLDSIG-CORE
]
).
A
container
for
key
material,
ds:DSAKeyValue
,
is
defined
in
section
4.4.2.1
of
[
XMLDSIG-CORE
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2000/09/xmldsig#DSAKeyValue
.
Implementation of this algorithm is required in both [ XMLDSIG-CORE2002 ] and [ XMLDSIG-CORE ] . We anticipate that future versions of XML Signature will include make this algorithm mandatory to implement for signature verification only, and optional to implement for signature generation. Use of this algorithm is discouraged.
Implementation of this algorithm is optional. Permissible lengths of the prime modulus are 2048 and 3072.
This
section
lists
variants
of
the
RSA
algorithm.
A
container
for
key
material,
ds:RSAKeyValue
,
is
defined
in
section
4.4.2.2
of
[
XMLDSIG-CORE2002
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2000/09/xmldsig#RSAKeyValue
.
We only list the algorithm URI for RSA-MD5 for the sake of completeness. The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time.
Implementation of this algorithm is recommended in [ XMLDSIG-CORE2002 ] and [ XMLDSIG-CORE ] . Use of this algorithm for signature generation will be discouraged in future versions of the XML Signature specification.
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Signature [ XMLDSIG-CORE1 ] .
This
section
lists
various
variants
of
the
Elliptic
Curve
DSA
(ECDSA)
algorithm.
A
container
for
key
material,
dsigmore:ECDSAKeyValue
,
is
defined
in
section
3.4.1
of
[
RFC4050
].
No
ds:RetrievalMethod
type
URI
is
defined
for
this
container.
Work
is
under
way
to
revise
this
container
format.
See
section
4.5.2.3
,
for
description
of
ECKeyValue
element
defined
in
[
XMLDSIG-CORE1
].
Given recent cryptographic results about the SHA1 hash algorithm, users of this algorithm should apply similar caution to other SHA1 based algorithms, and treat it as an algorithm whose use is discouraged.
This
algorithm
is
under
consideration
as
a
mandatory
to
implement
algorithm
for
a
future
version
of
XML
Signature
[
XMLDSIG-CORE1
]
.
].
The
following
URIs
have
been
defined
for
various
Message
Authentication
Codes
that
use
the
HMAC
construction
[
HMAC
]
.
All
of
these
algorithms
take
an
explicit
truncation
length
parameter.
A
container
for
this
parameter,
ds:HMACOutputLength
,
is
defined
in
section
6.3.1
of
[
XMLDSIG-CORE
]
.
This
container
occurs
as
a
child
element
of
the
role
element.
This algorithm is used as the default MAC algorithm in [ XKMS2 ] . It is mandatory to implement in XML Signature [ XMLDSIG-CORE2002 ] , [ XMLDSIG-CORE ] .
This algorithm is under consideration as a recommended algorithm for a future version of XML Signature [ XMLDSIG-CORE1 ] .
The
following
URIs
have
been
defined
for
Digest
Methods.
They
are
typically
used
in
the
ds:DigestMethod
role
in
[
XMLDSIG-CORE2002
]
.
Note
that
ds:DigestMethod
also
occurs
as
in
the
context
of
xenc:AgreementMethod
,
as
specified
in
the
Key
Agreement
part
of
[
XMLENC-CORE
]
.
We only list the algorithm URI for MD5 for the sake of completeness. The cryptographic strength of this algorithm is sufficiently doubtful that its use is not recommended at this time.
Note that URIs for the various algorithms of the Secure Hash Algorithm family have been coined in a number of name spaces and specifications, specifically [ XMLDSIG-CORE2002 ] (and, in this regard identically, [ XMLDSIG-CORE ] ), [ XMLENC-CORE ] , and [ RFC4051 ] .
SHA-1 is the only digest algorithm defined in [ XMLDSIG-CORE ] , and is mandatory to implement in that specification, and in [ XMLENC-CORE ] . Given recent cryptographic research, however, it is expected that use of this algorithm (and signature algorithms that are based upon it) will be discouraged in forthcoming versions of XML Signature.
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Signature [ XMLDSIG-CORE1 ] . It is recommended in [ XMLENC-CORE ] .
The
following
URIs
have
been
defined
for
symmetric
key
encryption
algorithms.
They
typically
appear
in
the
xenc:EncryptionMethod
role.
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
This algorithm is optional to implement in [ XMLENC-CORE1 ].
This algorithm is optional to implement in [ XMLENC-CORE1 ].
The following URIs have been defined for key transport algorithms.
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
The following URIs have been defined for key derivation algorithms.
The following URIs have been defined for key agreement algorithms.
While this is the only key agreement algorithm defined in [ XMLENC-CORE ], it is optional to implement.
A
container
for
key
material
for
this
key
agreement
algorithm,
xenc:DHKeyValue
,
is
defined
in
section
5.5.1
of
[
XMLENC-CORE
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2001/04/xmlenc#dh
.
This algorithm is an optional to implement algorithm for a future version of XML Encryption. [ XMLENC-CORE1 ].
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Encryption. [ XMLENC-CORE1 ].
The following URIs have been defined for symmetric key wrap algorithms.
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
This algorithm is mandatory to implement in [ XMLENC-CORE ] .
The following URIs have been defined for generic hybrid cipher algorithms.
Canonicalization
algorithms
are
used
in
[
XMLDSIG-CORE2002
]
;
they
are
typically
used
in
the
ds:CanonicalizationMethod
and
ds:Transform
roles.
Canonical XML 1.0 [ XML-C14N ] without comments is mandatory to implement in both XML Signature [ XMLDSIG-CORE2002 ] and XML Signature Second Edition [ XMLDSIG-CORE ] . XML Signature Second Edition recommends use of Canonical XML 1.1 [ XML-C14N11 ] over use of Canonical XML 1.0 when inclusive canonicalization is desired, to address known issues with Canonical XML 1.0.
The canonicalization methods listed in this section accept a node-set or octet-stream as input, and produce an octet-stream as output.
This algorithm is mandatory to implement in [ XMLDSIG-CORE2002 ] and [ XMLDSIG-CORE ] .
This algorithm is mandatory to implement in [ XMLDSIG-CORE ] . Its use is recommended over Canonical XML 1.0.
Implementation is required in [ XMLDSIG-CORE ] and [ XMLENC-CORE ]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.
This
section
lists
algorithms
that
typically
occur
in
the
ds:Transform
role.
ds:Transform
is
defined
in
detail
in
the
XML
Signature
Reference
Processing
Model
(
[
XMLDSIG-CORE
]
,
section
4.3.3.2).
This
processing
model
is,
in
turn,
applied
both
to
signed
material,
and
to
key
material
referenced
through
ds:RetrievalMethod
(
[
XMLDSIG-CORE
]
,
section
4.4.3
).
The
ds:Transform
role
element
is
also
used
by
the
optional
xenc:Transforms
feature
which
is
specified
in
the
context
of
xenc:CipherReference
in
XML
Encryption
(
[
XMLENC-CORE
],
section
3.3.1
).
Transform algorithms can take an octet-stream or a node-set as input, and can produce either an octet-stream or a node-set as output.
Implementation is required in [ XMLDSIG-CORE ] and [ XMLENC-CORE ]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.
This transform is required in [ XMLDSIG-CORE2002 ] , [ XMLDSIG-CORE ] .
The
ds:RetrievalMethod
element
permits
referencing
key
material
that
is
stored
outside
a
ds:KeyInfo
element.
The
type
of
the
material
that
results
from
retrieval
of
the
URI
reference
(and
possible
transform
processing)
can
be
identified
using
the
Type
attribute.
Note:
ds:RetrievalMethod
may
be
deprecated
in
future
versions
of
XML
Signature,
and
is
rarely
used
in
practice.
The
following
Type
values
identify
an
XML
element
or
document
with
the
given
element
as
its
root:
ds:DSAKeyValue
,
see
section
4.4.2.1
of
[
XMLDSIG-CORE
]
.
ds:RSAKeyValue
,
see
section
4.4.2.2
of
[
XMLDSIG-CORE
]
.
ds:X509Data
,
see
section
4.4.4
of
[
XMLDSIG-CORE
]
.
ds:PGPData
,
see
section
4.4.5
of
[
XMLDSIG-CORE
]
.
ds:SPKIData
,
see
section
4.4.6
of
[
XMLDSIG-CORE
]
.
ds:MgmtData
,
see
section
4.4.7
of
[
XMLDSIG-CORE
]
.
ds:KeyValue
,
see
section
4.4.2
of
[
XMLDSIG-CORE
]
.
ds:RetrievalMethod
,
see
section
4.4.3
of
[
XMLDSIG-CORE
]
.
ds:KeyName
,
see
section
4.4.1
of
[
XMLDSIG-CORE
]
.
dsigmore:PKCS7signedData
,
see
section
3.1
of
[
RFC4051
]
.
dsig11:ECKeyValue
,
see
section
4.5.2.3
of
[
XMLDSIG-CORE1
]
.
dsig11:DEREncodedKeyValue
,
see
section
4.5.9
of
[
XMLDSIG-CORE1
]
.
The
following
Type
values
identify
the
type
of
raw
binary
data:
Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.
No normative references.