Strength of R5001 (Use of RSA1.5)

[Rimas Rekasius]

The current version of the Basic B2B Profile has the following
requirement in it constraining the choice of encryption algorithm:

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorithm
attribute in an ENCRYPTED_KEY MUST have a value of
"http://www.w3.org/2001/04/xmlenc#rsa-1_5".

Question: should this be softened to a SHOULD, or is MUST the right
thing to do for the sake of interoperability?

Thanks,

Rimas

[Anthony Nadalin]

There are 2 allowed values, if each site chooses the same algorithm (OEAP or RSA1.5) no problem (only way to do this today is out of band), so this should be softened to "SHOULD" and http://www.w3.org/2001/04/xmlenc#rsa-1_5 should be made the default value

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Rimas Rekasius/Chicago/IBM@IBMUS

Rimas Rekasius/Chicago/IBM@IBMUS 05/12/2005 03:25 PM Please respond to basicB2B

To basi...@googlegroups.com cc Subject Strength of R5001 (Use of RSA1.5)

[Christopher B Ferris]

+1

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chri...@us.ibm.com
blog: http://webpages.charter.net/chrisfer/blog.html
phone: +1 508 377 9295

Anthony Nadalin/Austin/IBM@IBMUS wrote on 05/13/2005 12:19:42 PM:

> There are 2 allowed values, if each site chooses the same algorithm
(OEAP or RSA1.5) no problem
> (only way to do this today is out of band), so this should be softened
to "SHOULD" and http://www.
> w3.org/2001/04/xmlenc#rsa-1_5 should be made the default value
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

> [image removed] Rimas Rekasius/Chicago/IBM@IBMUS

>

>
> Rimas Rekasius/Chicago/IBM@IBMUS
> 05/12/2005 03:25 PM
>
> Please respond to
> basicB2B
>

> [image removed]
> To
>
> [image removed]
> basi...@googlegroups.com
>
> [image removed]
> cc
>
> [image removed]
>
> [image removed]
> Subject
>
> [image removed]

> Strength of R5001 (Use of RSA1.5)
>

> [image removed]
>
> [image removed]

[Rimas Rekasius]

OK, so just to be painfully clear, the proposal is to change

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorithm
attribute in an ENCRYPTED_KEY MUST have a value of
"http://www.w3.org/2001/04/xmlenc#rsa-1_5".

to

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorithm

attribute in an ENCRYPTED_KEY SHOULD have a value of
"http://www.w3.org/2001/04/xmlenc#rsa-1_5".


Unless I hear any objections, I will proceed to make this change in a new version of the profile that I am working on.

Regards,

Rimas V. Rekasius
e-business Industry Standards Architect
1-312-245-6775 (voice/FAX)
1-773-934-2705 (cell phone)

Anthony Nadalin/Austin/IBM@IBMUS 05/13/2005 11:19 AM Please respond to basicB2B

To basi...@googlegroups.com cc Subject Re: Strength of R5001 (Use of RSA1.5)

[Anthony Nadalin]

Correct

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Rimas Rekasius/Chicago/IBM@IBMUS

Rimas Rekasius/Chicago/IBM@IBMUS Sent by: basi...@googlegroups.com 05/25/2005 05:19 PM Please respond to basicB2B

To basi...@googlegroups.com cc

Subject

Re: Strength of R5001 (Use of RSA1.5)

OK, so just to be painfully clear, the proposal is to change

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorithm
attribute in an ENCRYPTED_KEY MUST have a value of
"http://www.w3.org/2001/04/xmlenc#rsa-1_5".

to

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorithm
attribute in an ENCRYPTED_KEY SHOULD have a value of
"http://www.w3.org/2001/04/xmlenc#rsa-1_5".


Unless I hear any objections, I will proceed to make this change in a new version of the profile that I am working on.

Regards,

Rimas V. Rekasius
e-business Industry Standards Architect
1-312-245-6775 (voice/FAX)
1-773-934-2705 (cell phone)

Anthony Nadalin/Austin/IBM@IBMUS 05/13/2005 11:19 AM Please respond to basicB2B

To basi...@googlegroups.com cc

Subject Re: Strength of R5001 (Use of RSA1.5)