[widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider from Frederick Hirsch on 2009-04-08 (public-webapps@w3.org from April to June 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Wed, 8 Apr 2009 06:30:09 -0400
To: Web Applications Working Group WG <public-webapps@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <78E5D6BC-3CFF-4231-B58F-3ED6BB7F8ED0@nokia.com>

The XML Security WG would like to refine the question about the   
suitability of elliptic curve as a mandatory to implement algorithm   
for XML Signature 1.1 by highlighting that the  scope of elliptic   
curve is greatly limited in what is proposed to be mandatory in XML   
Signature 1.1.

As T-Mobile pointed out previously in their comments [1], the specific  
curve being used in an instance of ECDSA is important and there are a  
few sets of well-known ("named") curves that have been standardized.   
The P-256, P-384 and P-521 curves are three of the five NIST-defined  
prime curves.

Since the publication of the First Public Working Draft of XML   
Signature 1.1, the following clarifying text was added by the XML  
Security WG to  the end of section 6.4.3 of XML Signature 1.1 [2]:

"This specification REQUIRES implementations to support the   
ECDSAwithSHA256 signature algorithm, which is ECDSA over the P-256   
prime curve specified in Section D.2.3 of FIPS 186-3 [FIPS186-3] (and   
using the SHA-256 hash algorithm). It is further RECOMMENDED that   
implementations also support ECDSA over the P-384 and P-521 prime   
curves; these curves are defined in Sections D.2.4 and D.2.5 of FIPS   
186-3, respectively."

It is important to realize  that by reducing the scope of the   
requirement to a specific curve that this should simplify evaluation    
of whether it is desirable to make this  mandatory to implement.

The XML Security WG would also like to note the importance of this   
algorithm to US Government customers, as evidenced by their adoption   
of Suite B [3]. This is reflected in the XML Security WG Use Cases  
and  Requirements document in section 3.5.2.3 [4].

These considerations can also apply to the decision of which    
algorithms should be required in Widget Signature.

Please share this additional information in your organization and   
indicate if it would cause any change in position regarding the   
mandatory to implement algorithms.

Thank you

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG


[1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0842.html

[2] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-SignatureAlg

[3] Fact Sheet NSA Suite B Cryptography, http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

[4] http://www.w3.org/TR/2009/WD-xmlsec-reqs-20090226/#algorithm-suiteb

Received on Wednesday, 8 April 2009 10:31:25 UTC