Copyright
© 2010
©
2011
W3C
®
®
(
MIT
,
ERCIM
,
Keio
),
All
Rights
Reserved.
W3C
liability
,
trademark
and
document
use
rules
apply.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
A
diff-marked
version
of
"XML
Security
Algorithm
Cross-Reference."
this
specification
that
highlights
changes
against
the
previous
version
is
available.
Major
changes
in
this
version:
This
document
was
developed
published
by
the
XML
Security
Working
Group
.
Please
send
as
a
Working
Draft.
If
you
wish
to
make
comments
about
regarding
this
document
document,
please
send
them
to
public-xmlsec-comments@w3.org
public-xmlsec@w3.org
(with
public
archive
(
subscribe
,
archives
).
All
feedback
is
welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy . The group does not expect this document to become a W3C Recommendation. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .
The various XML Security specifications have defined a number of algorithms of various types, while allowing and expecting additional algorithms to be defined later. Over time, these identifiers have been defined in a number of different specifications, including XML Signature, XML Encryption, RFCs and elsewhere.
This makes it difficult for users of the XML Security specifications to know whether and where a URI for an algorithm of interest has been defined, and can lead to the use of incorrect URIs. The purpose of this Note is to collect the various known URIs at the time of its publication and indicate the specifications in which they are defined in order to avoid confusion and errors.
This note is not intended as an exhaustive list of all known related identifiers, some of which may have been defined by other standards or specifications. Furthermore, this note is not to be taken as normative regarding the information provided; if information here conflicts with the referenced specification, the specification takes precedence in all cases.
The
architecture
of
the
XML
Security
specifications
distinguishes
between
the
(universally
useful)
identifiers
for
algorithms
and
the
roles
that
these
algorithms
can
take.
Roles
are
identified
through
elements
like
ds:SignatureMethod
,
ds:DigestMethod
,
ds:CanonicalizationMethod
,
or
ds:Transform
,
whereas
the
algorithms
are
identified
through
URIs.
Explicit
parameters
for
the
respective
algorithms
are
transmitted
in
child
elements
of
the
role
element.
This note indicates explicitly whether an algorithm is mandatory or recommended in other specifications. If nothing is said, then readers should assume that support for the algorithms given is optional.
This specification uses the following XML namespace prefixes:
ds
http://www.w3.org/2000/09/xmldsig#
xenc
http://www.w3.org/2001/04/xmlenc#
dsig11
http://www.w3.org/2009/xmldsig11#
dsigmore
http://www.w3.org/2001/04/xmldsig-more#
Algorithm URIs have been coined in a variety of namespaces, and are always given in full.
The
algorithms
listed
in
this
section
are
typically
used
in
the
signature
algorithm
role,
identified
through
the
ds:SignatureMethod
role
element
(
[XMLDSIG2e]
,
[
XMLDSIG-CORE
]
,
section
4.3.2).
Each
signature
method
takes
an
octet-stream
as
input,
and
produces
a
signature
value
(an
octet-stream
that
is
always
base64
encoded,
see
section
4.2
of
[XMLDSIG2e]
[
XMLDSIG-CORE
]
).
A
container
for
key
material,
ds:DSAKeyValue
,
is
defined
in
section
4.4.2.1
of
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2000/09/xmldsig#DSAKeyValue
.
Implementation
of
this
algorithm
is
required
in
both
[XMLDSIG]
[
XMLDSIG-CORE2002
]
and
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
We
anticipate
that
future
versions
of
XML
Signature
will
include
make
this
algorithm
mandatory
to
implement
for
signature
verification
only,
and
optional
to
implement
for
signature
generation.
Use
of
this
algorithm
is
discouraged.
Implementation of this algorithm is optional. Permissible lengths of the prime modulus are 2048 and 3072.
This
section
lists
variants
of
the
RSA
algorithm.
A
container
for
key
material,
ds:RSAKeyValue
,
is
defined
in
section
4.4.2.2
of
[XMLDSIG]
.
[
XMLDSIG-CORE2002
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2000/09/xmldsig#RSAKeyValue
.
We only list the algorithm URI for RSA-MD5 for the sake of completeness. The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time.
Implementation
of
this
algorithm
is
recommended
in
[XMLDSIG]
[
XMLDSIG-CORE2002
]
and
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
Use
of
this
algorithm
for
signature
generation
will
be
discouraged
in
future
versions
of
the
XML
Signature
specification.
This
algorithm
is
under
consideration
as
a
mandatory
to
implement
algorithm
for
a
future
version
of
XML
Signature
[XMLDSIG11]
.
[
XMLDSIG-CORE1
]
.
This
section
lists
various
variants
of
the
Elliptic
Curve
DSA
(ECDSA)
algorithm.
A
container
for
key
material,
dsigmore:ECDSAKeyValue
,
is
defined
in
[RFC4050]
.
section
3.4.1
of
[
RFC4050
].
No
ds:RetrievalMethod
type
URI
is
defined
for
this
container.
Work
is
under
way
to
revise
this
container
format.
See
section
4.5.2.3
,
for
description
of
ECKeyValue
element
defined
in
[
XMLDSIG-CORE1
].
Given recent cryptographic results about the SHA1 hash algorithm, users of this algorithm should apply similar caution to other SHA1 based algorithms, and treat it as an algorithm whose use is discouraged.
This
algorithm
is
under
consideration
as
a
mandatory
to
implement
algorithm
for
a
future
version
of
XML
Signature
[XMLDSIG11]
.
[
XMLDSIG-CORE1
]
.
The
following
URIs
have
been
defined
for
various
Message
Authentication
Codes
that
use
the
HMAC
construction
[RFC2104]
.
[
HMAC
]
.
All
of
these
algorithms
take
an
explicit
truncation
length
parameter.
A
container
for
this
parameter,
ds:HMACOutputLength
,
is
defined
in
section
6.3.1
of
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
This
container
occurs
as
a
child
element
of
the
role
element.
This
algorithm
is
used
as
the
default
MAC
algorithm
in
[XKMS2]
.
[
XKMS2
]
.
It
is
mandatory
to
implement
in
XML
Signature
[XMLDSIG]
,
[XMLDSIG2e]
.
[
XMLDSIG-CORE2002
]
,
[
XMLDSIG-CORE
]
.
This
algorithm
is
under
consideration
as
a
recommended
algorithm
for
a
future
version
of
XML
Signature
[XMLDSIG11]
.
[
XMLDSIG-CORE1
]
.
The
following
URIs
have
been
defined
for
Digest
Methods.
They
are
typically
used
in
the
ds:DigestMethod
role
in
[XMLDSIG]
.
[
XMLDSIG-CORE2002
]
.
Note
that
ds:DigestMethod
also
occurs
as
in
the
context
of
xenc:AgreementMethod
,
as
specified
in
the
Key
Agreement
part
of
[XMLENC]
.
[
XMLENC-CORE
]
.
We only list the algorithm URI for MD5 for the sake of completeness. The cryptographic strength of this algorithm is sufficiently doubtful that its use is not recommended at this time.
Note
that
URIs
for
the
various
algorithms
of
the
Secure
Hash
Algorithm
family
have
been
coined
in
a
number
of
name
spaces
and
specifications,
specifically
[XMLDSIG]
[
XMLDSIG-CORE2002
]
(and,
in
this
regard
identically,
[XMLDSIG2e]
[
XMLDSIG-CORE
]
),
[XMLENC]
,
and
[RFC4051]
.
[
XMLENC-CORE
]
,
and
[
RFC4051
]
.
SHA-1
is
the
only
digest
algorithm
defined
in
[XMLDSIG2e]
,
[
XMLDSIG-CORE
]
,
and
is
mandatory
to
implement
in
that
specification,
and
in
[XMLENC]
.
[
XMLENC-CORE
]
.
Given
recent
cryptographic
research,
however,
it
is
expected
that
use
of
this
algorithm
(and
signature
algorithms
that
are
based
upon
it)
will
be
discouraged
in
forthcoming
versions
of
XML
Signature.
This
algorithm
is
under
consideration
as
a
mandatory
to
implement
algorithm
for
a
future
version
of
XML
Signature
[XMLDSIG11]
.
[
XMLDSIG-CORE1
]
.
It
is
recommended
in
[XMLENC]
.
[
XMLENC-CORE
]
.
The
following
URIs
have
been
defined
for
symmetric
key
encryption
algorithms.
They
typically
appear
in
the
xenc:EncryptionMethod
role.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
This algorithm is optional to implement in [ XMLENC-CORE1 ].
This algorithm is optional to implement in [ XMLENC-CORE1 ].
The following URIs have been defined for key transport algorithms.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
The following URIs have been defined for key derivation algorithms.
The following URIs have been defined for key agreement algorithms.
While
this
is
the
only
key
agreement
algorithm
defined
in
[XMLENC]
,
[
XMLENC-CORE
],
it
is
optional
to
implement.
A
container
for
key
material
for
this
key
agreement
algorithm,
xenc:DHKeyValue
,
is
defined
in
section
5.5.2
5.5.1
of
[XMLENC]
.
[
XMLENC-CORE
]
.
When
used
with
ds:RetrievalMethod
,
this
container
type
is
identified
through
the
URI
http://www.w3.org/2001/04/xmlenc#dh
.
This algorithm is an optional to implement algorithm for a future version of XML Encryption. [ XMLENC-CORE1 ].
This
algorithm
is
under
consideration
as
a
mandatory
to
implement
algorithm
for
a
future
version
of
XML
Encryption.
[XMLENC11]
.
[
XMLENC-CORE1
].
The following URIs have been defined for symmetric key wrap algorithms.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
This
algorithm
is
mandatory
to
implement
in
[XMLENC]
.
[
XMLENC-CORE
]
.
The following URIs have been defined for generic hybrid cipher algorithms.
Canonicalization
algorithms
are
used
in
[XMLDSIG]
[
XMLDSIG-CORE2002
]
;
they
are
typically
used
in
the
ds:CanonicalizationMethod
and
ds:Transform
roles.
Canonical
XML
1.0
[C14N1.0]
[
XML-C14N
]
without
comments
is
mandatory
to
implement
in
both
XML
Signature
[XMLDSIG]
[
XMLDSIG-CORE2002
]
and
XML
Signature
Second
Edition
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
XML
Signature
Second
Edition
recommends
use
of
Canonical
XML
1.1
[C14N1.1]
[
XML-C14N11
]
over
use
of
Canonical
XML
1.0
when
inclusive
canonicalization
is
desired,
to
address
known
issues
with
Canonical
XML
1.0.
The canonicalization methods listed in this section accept a node-set or octet-stream as input, and produce an octet-stream as output.
This
algorithm
is
mandatory
to
implement
in
[XMLDSIG]
[
XMLDSIG-CORE2002
and
[XMLDSIG2e]
.
]
and
[
XMLDSIG-CORE
]
.
This
algorithm
is
mandatory
to
implement
in
[XMLDSIG2e]
.
[
XMLDSIG-CORE
]
.
Its
use
is
recommended
over
Canonical
XML
1.0.
Implementation is required in [ XMLDSIG-CORE ] and [ XMLENC-CORE ]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.
This
section
lists
algorithms
that
typically
occur
in
the
ds:Transform
role.
ds:Transform
is
defined
in
detail
in
the
XML
Signature
Reference
Processing
Model
(
[XMLDSIG2e]
,
[
XMLDSIG-CORE
]
,
section
4.3.3.2).
This
processing
model
is,
in
turn,
applied
both
to
signed
material,
and
to
key
material
referenced
through
ds:RetrievalMethod
(
[XMLDSIG2e]
,
[
XMLDSIG-CORE
]
,
section
4.4.3).
4.4.3
).
The
ds:Transform
role
element
is
also
used
by
the
optional
xenc:Transforms
feature
which
is
specified
in
the
context
of
xenc:CipherReference
in
XML
Encryption
(
[XMLENC]
,
[
XMLENC-CORE
],
section
3.3.1).
3.3.1
).
Transform algorithms can take an octet-stream or a node-set as input, and can produce either an octet-stream or a node-set as output.
Implementation
is
required
in
[XMLDSIG2e]
[
XMLDSIG-CORE
and
[XMLENC]
.
]
and
[
XMLENC-CORE
].
Note
that
the
same
URI
is
used
to
identify
base64
both
in
"encoding"
context
as
well
as
in
"transform"
context.
This
transform
is
required
in
[XMLDSIG]
,
[XMLDSIG2e]
.
[
XMLDSIG-CORE2002
]
,
[
XMLDSIG-CORE
]
.
The
ds:RetrievalMethod
element
permits
referencing
key
material
that
is
stored
outside
a
ds:KeyInfo
element.
The
type
of
the
material
that
results
from
retrieval
of
the
URI
reference
(and
possible
transform
processing)
can
be
identified
using
the
Type
attribute.
Note:
ds:RetrievalMethod
may
be
deprecated
in
future
versions
of
XML
Signature,
and
is
rarely
used
in
practice.
The
following
Type
values
identify
an
XML
element
or
document
with
the
given
element
as
its
root:
ds:DSAKeyValue
,
see
section
4.4.2.1
of
ds:RSAKeyValue
,
see
section
4.4.2.2
of
ds:X509Data
,
see
section
4.4.4
of
ds:PGPData
,
see
section
4.4.5
of
ds:SPKIData
,
see
section
4.4.6
of
ds:MgmtData
,
see
section
4.4.7
of
ds:KeyValue
,
see
section
4.4.2
of
ds:RetrievalMethod
,
see
section
4.4.3
of
ds:KeyName
,
see
section
4.4.1
of
dsigmore:PKCS7signedData
,
see
section
3.1
of
dsig11:ECKeyValue
,
see
section
dsig11:DEREncodedKeyValue
,
see
section
The
following
Type
values
identify
the
type
of
raw
binary
data:
@@ TBD @@
Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.
No normative references.