[standards-jig] new security JEP

Paul Lloyd paul_lloyd at hp.com
Thu May 9 15:12:17 UTC 2002


Hello,

Mike Lin wrote:
 
> Here are some comments I have -
> 
> XMLDSIG, XMLENC, and XKMS are becoming pretty coherent standards, and I
> wonder why we should follow a Standards Track process for a homegrown
> protocol rather than adopt these. I don't mean to be shooting this down,
> but I would appreciate additional commentary by the author on how this
> protocol can achieve "closer alignment" with these imminent standards.

1) One motivation here is for the protection of XML docs in a session
environment rather than an atomic document environment.

2) Another motivation is to avoid excess public key operations.

3) The canonicalization work done by the W3C should prove valuable and be
incorporated wherever possible.

4) XKMS should be a fine way for implementations to deal with appropriate key
management issues.

Fundamentaly, I wish to propose creating and adopting an optimized protocol
for the IM environment and its content, and this protocol should be based on as
many appropriate standards as possible. Furthermore, one aspect of optimized must
address issues of performance, scalability, and ease of use.

Hopefully, with that said, our views and goals WRT to protecting Jabber
conversations are not too dissimilar.
 
> 3.3.4 Specifies that cryptographic operations over character strings
> must be carried out over the UTF-16 encoding of the string. I am curious
> why UTF-16 and not UTF-8. We generally handle strings as UTF-8
> currently. UTF-8 frees us from some byte ordering concerns and are more
> efficient to store. Cryptographically, a UTF-8 string tends to have more
> entropy than an equivalent UTF-16 string. Finally, it would just make my
> life easier to use UTF-8.

Your points are well taken; all that's needed is a canonicalization mechanism.
My suggestion of UTF-16 is largely arbitarary.

Also, the cryptographic implications of UTF-16 are the reaosn I did not
include any stream ciphers in the first proposal.

Finally, I support anything that makes a person's life easier.
 
> These points aside, the protocol thusfar is well thought out and
> elegantly designed, accompanied with lucid commentary and clear
> explanation. My complements to the author.

Thanks!


Best regards,


  |\/\/\/|        "I DIDN'T DO IT, MAN!"
  |      |
  |      |        Paul Lloyd
  | (o)(o)        Infrastructure Strategic Engineering
  C      _)       Strategy and Architecture Leadership Team
   | ,___|        voice:          650-236-3704
   |   /          FAX:            650-236-3632
  /____\          MSN Messenger:  paul_lloyd at hp.com
 /      \         plloyd at corp.hp.com



More information about the Standards mailing list