-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: AS4 Profile, Core Spec
-
Labels:None
-
Proposal:
In ebMS3 it is possible to configure the signature algorithm:
"PMode[1].Security.X509.Signature.Algorithm: The value of this parameter identifies the algorithm that is used to compute the value of the digital signature. The definitions for these values are found in the [XMLDSIG] or [XMLENC] specifications."
ebMS3 Core has the following reference to XML Signature:
[XMLDSIG] Donald Eastlake, et al, eds, XML-Signature Syntax and Processing, 2002. <http://www.w3.org/TR/xmldsig-core/>
AS4 has the following:
[XMLDSIG] XML-Signature Syntax and Processing (Second Edition). W3C Recommendation. 10 June 2008. http://www.w3.org/TR/xmldsig-core/
Both are outdated in various ways. For digest algorithms, they define SHA1 and not SHA2. For signature, they define rsa-sha1 but not rsa-sha256.
The current version of XML Signature, which is the 1.1 version of April 2013, http://www.w3.org/TR/xmldsig-core1/ Could we update the reference to point to the 1.1 version? I would like to be able to set the digest algorithm to http://www.w3.org/2001/04/xmlenc#sha256 and signature algorithm to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
Here is an email exchange between me and Frederick Hirsch on this, with some background information. SHA1 is being phased out rapidly.
https://lists.oasis-open.org/archives/wss-dev/201311/maillist.html
The ebMS3 Core Pmode takes its values directly from the W3C specification, so it easier to update than WS-SecurityPolicy which has its own identifier format.
There is also a newer version of XML Encryption with newer algorithms.