Re: [Curdle] should we include xmldsig and xmlenc?
Simon Josefsson <simon@josefsson.org> Wed, 02 December 2015 13:14 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350C41A8A68 for <curdle@ietfa.amsl.com>; Wed, 2 Dec 2015 05:14:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TC1j97YWQ9jz for <curdle@ietfa.amsl.com>; Wed, 2 Dec 2015 05:14:28 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDE3D1A8A63 for <curdle@ietf.org>; Wed, 2 Dec 2015 05:14:27 -0800 (PST)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tB2DE7h0006547 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 2 Dec 2015 14:14:08 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <565EE8B6.2010903@cs.tcd.ie>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151202:stephen.farrell@cs.tcd.ie::jLRvnujrdsBqThVB:1ZjX
X-Hashcash: 1:22:151202:wseltzer@w3.org::/IANmtNqV3W7Iajm:60wz
X-Hashcash: 1:22:151202:curdle@ietf.org::yvB5fogiCW3LBR5d:71um
X-Hashcash: 1:22:151202:mnot@mnot.net::rgw6boLyVj1YWeQT:DLz1
Date: Wed, 02 Dec 2015 14:14:06 +0100
In-Reply-To: <565EE8B6.2010903@cs.tcd.ie> (Stephen Farrell's message of "Wed, 2 Dec 2015 12:48:54 +0000")
Message-ID: <87io4h2dsx.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/ZXwHalF83KOEYbsxKZSui9srWug>
Cc: curdle@ietf.org, Wendy Seltzer <wseltzer@w3.org>, Mark Nottingham <mnot@mnot.net>
Subject: Re: [Curdle] should we include xmldsig and xmlenc?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 13:14:30 -0000
XML Digital Signatures is mentioned in the curdle charter text. I suggest to add XML Encryption too. Incidentally, I approached Wendy and Frederick Hirsch about this last month, and their recommendation (IIUC) was that since the W3C group is in maintenance mode it would be preferrable to announce work on this to their list and then go from there. I have an Ed25519/Ed448-for-XMLDigSig document sitting on my disk, but it is pending feedback from implementers. I don't believe it would be useful to approach this as a prescriptive work. I can post the document as an I-D if that would help get implementations going, but I don't think we should adopt this if nobody is interested in implementing it. I'm hesitant about burning energy on corner-cases since it will delay publishing the documents that implementers deployed years ago. Another option may be for the IETF to recognize reality and recommend against further use of XMLDigSig/XMLEnc completely. I.e., "XML Security Considered Harmful". A compromise would be to say that it is OK to use for existing use-cases, but don't use it in new protocols. I believe that reflect the general thinking among implementers about XML Security in general. /Simon Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: > Hiya, > > I was at a thing with some w3c folks yesterday and mentioned > curdle. It is conceivable that W3C may want to add codepoints > to xmldsig and xmlenc for the new curves, just like we do. So > far though, I've not seen anyone ask specifically for that. > > xmldsig was a joint bit of work between the IETF and W3C but > that was a bit of a process-pain, so xmlenc was just done as > a W3C thing. OTOH, Don Eastlake did write up an RFC for some > additional algorithms for those as RFC6931 as well. [1] I > guess that amicable divorce wasn't ever fully finalised:-) > > So, questions: > > 1. is there interest to define how to use the new curves for > xmldsig and xmlenc? > 2. if 1==yes, do we have volunteers to do the editing work? > 3. if 1==yes and 2==yes, is curdle the right place to do that > or should we just leave that to W3C to handle as and when > they want? > > FWIW, I've no strong opinions on this, but if this group > felt that the answers to all 3 questions are yes, then we > should probably sort that out with W3C (one way or another) > while we're chartering curdle. If any of the answers is no, > then we're good as-is and there's nothing else we need do > for now. > > Cheers, > S. > > PS: mnot and Wendy are cc'd as they're the relevant liaison > folks between the IETF and W3C. > > [1] https://tools.ietf.org/html/rfc6931 > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle
- [Curdle] should we include xmldsig and xmlenc? Stephen Farrell
- Re: [Curdle] should we include xmldsig and xmlenc? Simon Josefsson
- Re: [Curdle] should we include xmldsig and xmlenc? Simon Josefsson