Copyright © 2011 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
A diff-marked version of this specification that highlights changes against the previous version is available. Major changes in this version:
This document was published by the XML Security Working Group as a Working Draft. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. The group does not expect this document to become a W3C Recommendation. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
The various XML Security specifications have defined a number of algorithms of various types, while allowing and expecting additional algorithms to be defined later. Over time, these identifiers have been defined in a number of different specifications, including XML Signature, XML Encryption, RFCs and elsewhere.
This makes it difficult for users of the XML Security specifications to know whether and where a URI for an algorithm of interest has been defined, and can lead to the use of incorrect URIs. The purpose of this Note is to collect the various known URIs at the time of its publication and indicate the specifications in which they are defined in order to avoid confusion and errors.
This note is not intended as an exhaustive list of all known related identifiers, some of which may have been defined by other standards or specifications. Furthermore, this note is not to be taken as normative regarding the information provided; if information here conflicts with the referenced specification, the specification takes precedence in all cases.
The architecture of the XML Security specifications distinguishes between the (universally
useful) identifiers for algorithms and the roles that these algorithms can take. Roles are
identified through elements like ds:SignatureMethod
,
ds:DigestMethod
, ds:CanonicalizationMethod
, or
ds:Transform
, whereas the algorithms are identified through URIs. Explicit
parameters for the respective algorithms are transmitted in child elements of the role
element.
This note indicates explicitly whether an algorithm is mandatory or recommended in other specifications. If nothing is said, then readers should assume that support for the algorithms given is optional.
This specification uses the following XML namespace prefixes:
ds
http://www.w3.org/2000/09/xmldsig#
xenc
http://www.w3.org/2001/04/xmlenc#
dsig11
http://www.w3.org/2009/xmldsig11#
dsigmore
http://www.w3.org/2001/04/xmldsig-more#
Algorithm URIs have been coined in a variety of namespaces, and are always given in full.
The algorithms listed in this section are typically used in the signature algorithm role,
identified through the ds:SignatureMethod
role element (
[XMLDSIG-CORE]
, section 4.3.2). Each signature method takes
an octet-stream as input, and produces a signature value (an octet-stream that is always
base64 encoded, see section 4.2 of
[XMLDSIG-CORE]
).
A container for key material, ds:DSAKeyValue
, is defined in section
4.4.2.1 of
[XMLDSIG-CORE]
. When used with
ds:RetrievalMethod
, this container type is identified through the URI
http://www.w3.org/2000/09/xmldsig#DSAKeyValue
.
Implementation of this algorithm is required in both [XMLDSIG-CORE2002] and [XMLDSIG-CORE] . We anticipate that future versions of XML Signature will include make this algorithm mandatory to implement for signature verification only, and optional to implement for signature generation. Use of this algorithm is discouraged.
Implementation of this algorithm is optional. Permissible lengths of the prime modulus are 2048 and 3072.
This section lists variants of the RSA algorithm. A container for key material,
ds:RSAKeyValue
, is defined in section
4.4.2.2 of
[XMLDSIG-CORE2002]
. When used with
ds:RetrievalMethod
, this container type is identified through the URI
http://www.w3.org/2000/09/xmldsig#RSAKeyValue
.
We only list the algorithm URI for RSA-MD5 for the sake of completeness. The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time.
Implementation of this algorithm is recommended in [XMLDSIG-CORE2002] and [XMLDSIG-CORE] . Use of this algorithm for signature generation will be discouraged in future versions of the XML Signature specification.
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Signature [XMLDSIG-CORE1] .
This section lists various variants of the Elliptic Curve
DSA (ECDSA) algorithm. A container
for key material, dsigmore:ECDSAKeyValue
, is
defined in
section 3.4.1 of
[RFC4050]. No ds:RetrievalMethod
type URI is
defined for
this
container.
Work is under way to revise this container format.
See section
4.5.2.3, for description of ECKeyValue
element defined in [XMLDSIG-CORE1].
Given recent cryptographic results about the SHA1 hash algorithm, users of this algorithm should apply similar caution to other SHA1 based algorithms, and treat it as an algorithm whose use is discouraged.
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Signature [XMLDSIG-CORE1] .
The following URIs have been defined for various Message Authentication Codes that use the
HMAC construction
[HMAC]
. All of these algorithms take an explicit
truncation length parameter. A container for this parameter, ds:HMACOutputLength
,
is defined in section 6.3.1 of
[XMLDSIG-CORE]
. This container occurs as a
child element of the role element.
This algorithm is used as the default MAC algorithm in [XKMS2] . It is mandatory to implement in XML Signature [XMLDSIG-CORE2002] , [XMLDSIG-CORE] .
This algorithm is under consideration as a recommended algorithm for a future version of XML Signature [XMLDSIG-CORE1] .
The following URIs have been defined for Digest Methods. They are typically used in the
ds:DigestMethod
role in
[XMLDSIG-CORE2002]
. Note that ds:DigestMethod
also occurs as
in the context of xenc:AgreementMethod
,
as specified in the Key
Agreement part of
[XMLENC-CORE]
.
We only list the algorithm URI for MD5 for the sake of completeness. The cryptographic strength of this algorithm is sufficiently doubtful that its use is not recommended at this time.
Note that URIs for the various algorithms of the Secure Hash Algorithm family have been coined in a number of name spaces and specifications, specifically [XMLDSIG-CORE2002] (and, in this regard identically, [XMLDSIG-CORE] ), [XMLENC-CORE] , and [RFC4051] .
SHA-1 is the only digest algorithm defined in [XMLDSIG-CORE] , and is mandatory to implement in that specification, and in [XMLENC-CORE] . Given recent cryptographic research, however, it is expected that use of this algorithm (and signature algorithms that are based upon it) will be discouraged in forthcoming versions of XML Signature.
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Signature [XMLDSIG-CORE1] . It is recommended in [XMLENC-CORE] .
The following URIs have been defined for symmetric key encryption algorithms. They
typically appear in the xenc:EncryptionMethod
role.
This algorithm is mandatory to implement in [XMLENC-CORE] .
This algorithm is mandatory to implement in [XMLENC-CORE] .
This algorithm is mandatory to implement in [XMLENC-CORE] .
This algorithm is optional to implement in [XMLENC-CORE1].
This algorithm is optional to implement in [XMLENC-CORE1].
The following URIs have been defined for key transport algorithms.
This algorithm is mandatory to implement in [XMLENC-CORE] .
The following URIs have been defined for key derivation algorithms.
The following URIs have been defined for key agreement algorithms.
While this is the only key agreement algorithm defined in [XMLENC-CORE], it is optional to implement.
A container for key material for this key agreement algorithm,
xenc:DHKeyValue
, is defined in
section 5.5.1 of
[XMLENC-CORE] . When used
with ds:RetrievalMethod
, this
container type is identified through the
URI http://www.w3.org/2001/04/xmlenc#dh
.
This algorithm is an optional to implement algorithm for a future version of XML Encryption. [XMLENC-CORE1].
This algorithm is under consideration as a mandatory to implement algorithm for a future version of XML Encryption. [XMLENC-CORE1].
The following URIs have been defined for symmetric key wrap algorithms.
This algorithm is mandatory to implement in [XMLENC-CORE] .
This algorithm is mandatory to implement in [XMLENC-CORE] .
This algorithm is mandatory to implement in [XMLENC-CORE] .
The following URIs have been defined for generic hybrid cipher algorithms.
Canonicalization algorithms are used in
[XMLDSIG-CORE2002]
; they are typically used
in the ds:CanonicalizationMethod
and ds:Transform
roles.
Canonical XML 1.0 [XML-C14N] without comments is mandatory to implement in both XML Signature [XMLDSIG-CORE2002] and XML Signature Second Edition [XMLDSIG-CORE] . XML Signature Second Edition recommends use of Canonical XML 1.1 [XML-C14N11] over use of Canonical XML 1.0 when inclusive canonicalization is desired, to address known issues with Canonical XML 1.0.
The canonicalization methods listed in this section accept a node-set or octet-stream as input, and produce an octet-stream as output.
This algorithm is mandatory to implement in [XMLDSIG-CORE2002] and [XMLDSIG-CORE] .
This algorithm is mandatory to implement in [XMLDSIG-CORE] . Its use is recommended over Canonical XML 1.0.
Implementation is required in [XMLDSIG-CORE] and [XMLENC-CORE]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.
This section lists algorithms that typically occur in the ds:Transform
role. ds:Transform
is defined in detail in the XML Signature Reference Processing
Model (
[XMLDSIG-CORE]
, section 4.3.3.2). This processing model is, in
turn, applied both to signed material, and to key material referenced through ds:RetrievalMethod
(
[XMLDSIG-CORE]
, section 4.4.3).
The ds:Transform
role element is also used by the optional
xenc:Transforms
feature which is specified in the context of xenc:CipherReference
in XML Encryption (
[XMLENC-CORE],
section 3.3.1).
Transform algorithms can take an octet-stream or a node-set as input, and can produce either an octet-stream or a node-set as output.
Implementation is required in [XMLDSIG-CORE] and [XMLENC-CORE]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.
This transform is required in [XMLDSIG-CORE2002] , [XMLDSIG-CORE] .
The ds:RetrievalMethod
element permits referencing key material that is stored
outside a ds:KeyInfo
element. The type of the material that results from
retrieval of the URI reference (and possible transform processing) can be identified using
the Type
attribute.
Note: ds:RetrievalMethod
may be deprecated in future versions of
XML Signature, and is rarely used in practice.
The following Type
values identify an XML element or document with the given
element as its root:
ds:DSAKeyValue
, see section
4.4.2.1 of
[XMLDSIG-CORE]
.
ds:RSAKeyValue
, see section
4.4.2.2 of
[XMLDSIG-CORE]
.
ds:X509Data
, see section
4.4.4 of
[XMLDSIG-CORE]
.
ds:PGPData
, see section
4.4.5 of
[XMLDSIG-CORE]
.
ds:SPKIData
, see section
4.4.6 of
[XMLDSIG-CORE]
.
ds:MgmtData
, see section
4.4.7 of
[XMLDSIG-CORE]
.
ds:KeyValue
, see section
4.4.2 of
[XMLDSIG-CORE]
.
ds:RetrievalMethod
, see section
4.4.3 of
[XMLDSIG-CORE]
.
ds:KeyName
, see section
4.4.1 of
[XMLDSIG-CORE]
.
dsigmore:PKCS7signedData
, see section 3.1 of
[RFC4051]
.
dsig11:ECKeyValue
, see
section
4.5.2.3 of
[XMLDSIG-CORE1]
.
dsig11:DEREncodedKeyValue
, see
section 4.5.9
of
[XMLDSIG-CORE1]
.
The following Type
values identify the type of raw binary data:
@@ TBD @@
Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.
No normative references.