idnits 2.17.1 draft-eastlake-rfc6931bis-xmlsec-uris-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 15, 2021) is 1036 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1600' on line 324 == Unused Reference: 'RFC5869' is defined on line 1664, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. '10118-3' -- Possible downref: Non-RFC (?) normative reference: ref. '18033-2' -- Possible downref: Non-RFC (?) normative reference: ref. 'Camellia' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS186-4' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS202' -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEEP1363a' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST800-208' -- Possible downref: Non-RFC (?) normative reference: ref. 'RC4' ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Downref: Normative reference to an Informational RFC: RFC 2315 ** Downref: Normative reference to an Informational RFC: RFC 3394 ** Downref: Normative reference to an Informational RFC: RFC 3713 ** Downref: Normative reference to an Informational RFC: RFC 4050 ** Downref: Normative reference to an Informational RFC: RFC 4269 ** Downref: Normative reference to an Informational RFC: RFC 5869 ** Downref: Normative reference to an Informational RFC: RFC 6234 ** Obsolete normative reference: RFC 7539 (Obsoleted by RFC 8439) ** Downref: Normative reference to an Informational RFC: RFC 7748 ** Downref: Normative reference to an Informational RFC: RFC 8017 ** Downref: Normative reference to an Informational RFC: RFC 8032 -- Possible downref: Non-RFC (?) normative reference: ref. 'SipHash1' -- Possible downref: Non-RFC (?) normative reference: ref. 'SipHash2' -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC10' -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC11' -- Possible downref: Non-RFC (?) normative reference: ref. 'XPointer' -- Obsolete informational reference (is this intentional?): RFC 6931 (ref. 'Err3597') (Obsoleted by RFC 9231) -- Duplicate reference: RFC6931, mentioned in 'Err3965', was also mentioned in 'Err3597'. -- Obsolete informational reference (is this intentional?): RFC 6931 (ref. 'Err3965') (Obsoleted by RFC 9231) -- Duplicate reference: RFC6931, mentioned in 'Err4004', was also mentioned in 'Err3965'. -- Obsolete informational reference (is this intentional?): RFC 6931 (ref. 'Err4004') (Obsoleted by RFC 9231) -- Obsolete informational reference (is this intentional?): RFC 3075 (Obsoleted by RFC 3275) -- Obsolete informational reference (is this intentional?): RFC 4051 (Obsoleted by RFC 6931) -- Duplicate reference: RFC6931, mentioned in 'RFC6931', was also mentioned in 'Err4004'. -- Obsolete informational reference (is this intentional?): RFC 6931 (Obsoleted by RFC 9231) Summary: 13 errors (**), 0 flaws (~~), 2 warnings (==), 26 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT D. Eastlake 2 Obsoletes: 6931 Futurewei Technologies 3 Intended Status: Proposed Standard 4 Expires: December 14, 2021 June 15, 2021 6 Additional XML Security Uniform Resource Identifiers (URIs) 7 9 Abstract 11 This document updates and corrects the IANA registry for the list of 12 URIs intended for use with XML digital signatures, encryption, 13 canonicalization, and key management. These URIs identify algorithms 14 and types of information. This document corrects three errata 15 against and obsoletes RFC 6931. 17 The intent is to keep this draft alive while it accumulates updates 18 until it seems reasonable to publish the next version. 20 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Distribution of this document is unlimited. Comments should be sent 25 to the author. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 https://www.ietf.org/1id-abstracts.html. The list of Internet-Draft 39 Shadow Directories can be accessed at 40 https://www.ietf.org/shadow.html. 42 Table of Contents 44 1. Introduction............................................4 45 1.1 Terminology...........................................5 46 1.2 Acronyms..............................................5 48 2. Algorithms..............................................7 49 2.1 DigestMethod (Hash) Algorithms........................7 50 2.1.1 MD5.................................................7 51 2.1.2 SHA-224.............................................8 52 2.1.3 SHA-384.............................................8 53 2.1.4 Whirlpool...........................................8 54 2.1.5 SHA3 Algorithms.....................................9 55 2.2 SignatureMethod MAC Algorithms........................9 56 2.2.1 HMAC-MD5............................................9 57 2.2.2 HMAC SHA Variations................................10 58 2.2.3 HMAC-RIPEMD160.....................................10 59 2.2.4 Poly1305...........................................11 60 2.2.5 SipHash-2-4........................................11 61 2.2.6 XMSS and XMSSMT....................................11 62 2.3 SignatureMethod Public Key Signature Algorithms......11 63 2.3.1 RSA-MD5............................................12 64 2.3.2 RSA-SHA256.........................................12 65 2.3.3 RSA-SHA384.........................................13 66 2.3.4 RSA-SHA512.........................................13 67 2.3.5 RSA-RIPEMD160......................................13 68 2.3.6 ECDSA-SHA*, ECDSA-RIPEMD160, ECDSA-Whirlpool.......14 69 2.3.7 ESIGN-SHA*.........................................15 70 2.3.8 RSA-Whirlpool......................................15 71 2.3.9 RSASSA-PSS with Parameters.........................15 72 2.3.10 RSASSA-PSS without Parameters.....................17 73 2.3.11 RSA-SHA224........................................17 74 2.3.12 Edwards-Curve.....................................18 75 2.4 Minimal Canonicalization.............................19 76 2.5 Transform Algorithms.................................19 77 2.5.1 XPointer...........................................19 78 2.6 EncryptionMethod Algorithms..........................20 79 2.6.1 ARCFOUR Encryption Algorithm.......................20 80 2.6.2 Camellia Block Encryption..........................20 81 2.6.3 Camellia Key Wrap..................................21 82 2.6.4 PSEC-KEM, RSAES-KEM, and ECIES-KEM.................21 83 2.6.5 SEED Block Encryption..............................22 84 2.6.6 SEED Key Wrap......................................22 85 2.6.7 ChaCha20...........................................23 86 2.7 AgreementMethod Algorithms...........................23 87 2.7.1 X25519 Key Agreement...............................23 89 Table of Contents (continued) 91 3. KeyInfo................................................24 92 3.1 PKCS #7 Bag of Certificates and CRLs.................24 93 3.2 Additional RetrievalMethod Type Values...............24 95 4. Indexes................................................25 96 4.1 Index by Fragment Index..............................25 97 4.2 Index by URI.........................................29 99 5. Allocation Considerations..............................33 100 5.1 W3C Allocation Considerations........................33 101 5.2 IANA Considerations..................................33 103 6. Security Considerations................................34 105 Acknowledgements..........................................35 107 Appendix A: Changes from RFC 6931.........................36 108 Appendix B: Bad URIs......................................37 109 Appendix Z: Change History................................38 111 Normative References......................................39 112 Informational References..................................42 114 Author's Address..........................................45 116 1. Introduction 118 XML digital signatures, canonicalization, and encryption were 119 standardized by the W3C and by the joint IETF/W3C XMLDSIG working 120 group [W3C] [XMLSEC]. These are now W3C Recommendations and some are 121 also RFCs. They are available as follows: 123 RFC 124 Status W3C REC Topic 125 ----------- ------- ----- 127 [RFC3275] [XMLDSIG10] XML Digital Signatures 128 Draft Standard 130 [RFC3076] [CANON10] Canonical XML 131 Informational 133 - - - - - - [XMLENC10] XML Encryption 1.0 135 [RFC3741] [XCANON] Exclusive XML Canonicalization 1.0 136 Informational 138 These documents and recommendations use URIs [RFC3986] to identify 139 algorithms and keying information types. The W3C has subsequently 140 produced updated XML Signature 1.1 [XMLDSIG11], Canonical XML 1.1 141 [CANON11], and XML Encryption 1.1 [XMLENC11] versions, as well as a 142 new XML Signature Properties specification [XMLDSIG-PROP]. 144 In addition, the XML Encryption recommendation has has been augmented 145 by [GENERIC] which defines algorithms, XML types and elemets 146 necessary to use generic hybrid ciphers in XML Security applications. 147 [GENERIC] also provides a key encapsulation algorithm and a data 148 encapsulation algorithm (see Section 2.6.4). 150 All camel-case element names herein, such as DigestValue, are from 151 these documents. 153 This document is an updated convenient reference list of URIs and 154 corresponding algorithms in which there is expressed interest. This 155 document fixes Errata [Err3597], [Err3965], [Err4004] against and 156 obsoletes [RFC6931]. 158 All of the URIs appear in the indexes in Section 4. The URIs that 159 were added by [RFC4051], [RFC6931], or this document and a few others 160 have a subsection in Section 2 or 3. But most URIs defined 161 elsewhere, for example, use of SHA-256 as defined in [XMLENC11], have 162 no subsection on that algorithm here, but their URI may be included 163 in the indexes in Section 4. 165 Specification in this document of the URI representing an algorithm 166 does not imply endorsement of the algorithm for any particular 167 purpose. A protocol specification, which this is not, generally 168 gives algorithm and implementation requirements for the protocol. 169 Security considerations for algorithms are constantly evolving, as 170 documented elsewhere. This specification simply provides some URIs 171 and relevant formatting when those URIs are used. 173 This document is not intended to change the algorithm implementation 174 requirements of any IETF or W3C document. Use of [RFC2119] 175 terminology is intended to be only such as is already stated or 176 implied by other authoritative documents. 178 Progressing XML Digital Signature [RFC3275] along the Standards Track 179 required removal of any algorithms from the original version 180 [RFC3075] for which there was not demonstrated interoperability. 181 This required removal of the Minimal Canonicalization algorithm, in 182 which there appears to be continued interest. The URI for Minimal 183 Canonicalization was included in [RFC4051] and [RFC6931] and is 184 included here. 186 1.1 Terminology 188 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 189 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 190 "OPTIONAL" in this document are to be interpreted as described in BCP 191 14 [RFC2119] [RFC8174] when, and only when, they appear in all 192 capitals, as shown here. 194 "camel-case" refers to terms that are mostly lower case but have 195 internal capital letters. 197 1.2 Acronyms 199 The following acronyms are used in this document: 201 HMAC - Keyed-Hashing MAC [RFC2104] 203 IETF - Internet Engineering Task Force 205 MAC - Message Authentication Code 207 MD - Message Digest 209 NIST - United States National Institute of Standards and 210 Technology 212 RC - Rivest Cipher 214 RSA - Rivest, Shamir, and Adleman 216 SHA - Secure Hash Algorithm 218 URI - Uniform Resource Identifier [RFC3986] 220 W3C - World Wide Web Consortium 222 XML - eXtensible Markup Language 224 2. Algorithms 226 The URI [RFC3986] that was dropped from the XML Digital Signature 227 standard due to the transition from Proposed Standard to Draft 228 Standard [RFC3275] is included in Section 2.4 below with its original 230 http://www.w3.org/2000/09/xmldsig# 232 prefix so as to avoid changing the XMLDSIG standard's namespace. 234 Additional algorithms in [RFC4051] were given URIs that start with 236 http://www.w3.org/2001/04/xmldsig-more# 238 further algorithms added in [RFC6931] were given URIs that start with 240 http://www.w3.org/2007/05/xmldsig-more# 242 and algorithms added in this document are given URIs that start with 244 http://www.w3.org/2021/04/xmldsig-more# 246 In addition, for ease of reference, this document includes in the 247 indexes in Section 4 many cryptographic algorithm URIs from XML 248 security documents using the namespaces with which they are defined 249 in those documents. For example, 2000/09/xmldsig# for some URIs 250 specified in [RFC3275] and 2001/04/xmlenc# for some URIs specified in 251 [XMLENC10]. 253 See also [XMLSECXREF]. 255 2.1 DigestMethod (Hash) Algorithms 257 These algorithms are usable wherever a DigestMethod element occurs. 259 2.1.1 MD5 261 Identifier: 262 http://www.w3.org/2001/04/xmldsig-more#md5 264 The MD5 algorithm [RFC1321] takes no explicit parameters. An example 265 of an MD5 DigestAlgorithm element is: 267 270 An MD5 digest is a 128-bit string. The content of the DigestValue 271 element SHALL be the base64 [RFC2045] encoding of this bit string 272 viewed as a 16-octet stream. See [RFC6151] for MD5 security 273 considerations. 275 2.1.2 SHA-224 277 Identifier: 278 http://www.w3.org/2001/04/xmldsig-more#sha224 280 The SHA-224 algorithm [FIPS180-4] [RFC6234] takes no explicit 281 parameters. An example of a SHA-224 DigestAlgorithm element is: 283 286 A SHA-224 digest is a 224-bit string. The content of the DigestValue 287 element SHALL be the base64 [RFC2045] encoding of this string viewed 288 as a 28-octet stream. 290 2.1.3 SHA-384 292 Identifier: 293 http://www.w3.org/2001/04/xmldsig-more#sha384 295 The SHA-384 algorithm [FIPS180-4] takes no explicit parameters. An 296 example of a SHA-384 DigestAlgorithm element is: 298 301 A SHA-384 digest is a 384-bit string. The content of the DigestValue 302 element SHALL be the base64 [RFC2045] encoding of this string viewed 303 as a 48-octet stream. 305 2.1.4 Whirlpool 307 Identifier: 308 http://www.w3.org/2007/05/xmldsig-more#whirlpool 310 The Whirlpool algorithm [10118-3] takes no explicit parameters. A 311 Whirlpool digest is a 512-bit string. The content of the DigestValue 312 element SHALL be the base64 [RFC2045] encoding of this string viewed 313 as a 64-octet stream. 315 2.1.5 SHA3 Algorithms 317 Identifiers: 318 http://www.w3.org/2007/05/xmldsig-more#sha3-224 319 http://www.w3.org/2007/05/xmldsig-more#sha3-256 320 http://www.w3.org/2007/05/xmldsig-more#sha3-384 321 http://www.w3.org/2007/05/xmldsig-more#sha3-512 323 NIST conducted a hash function competition for an alternative to the 324 SHA family. The Keccak-f[1600] algorithm was selected [Keccak] 325 [SHA-3]. This hash function is commonly referred to as "SHA-3". 327 A SHA-3 224, 256, 384, and 512 digest is a 224-, 256-, 384-, and 328 512-bit string, respectively. The content of the DigestValue element 329 SHALL be the base64 [RFC2045] encoding of this string viewed as a 330 28-, 32-, 48-, and 64-octet stream, respectively. An example of a 331 SHA3-224 DigestAlgorithm element is: 333 336 2.2 SignatureMethod MAC Algorithms 338 This section covers SignatureMethod MAC (Message Authentication Code) 339 Algorithms. 341 Note: Some text in this section is duplicated from [RFC3275] for the 342 convenience of the reader. RFC 3275 is normative in case of conflict. 344 2.2.1 HMAC-MD5 346 Identifier: 347 http://www.w3.org/2001/04/xmldsig-more#hmac-md5 349 The HMAC algorithm [RFC2104] takes the truncation length in bits as a 350 parameter; if the parameter is not specified, then all the bits of 351 the hash are output. An example of an HMAC-MD5 SignatureMethod 352 element is as follows: 354 356 112 357 359 The output of the HMAC algorithm is ultimately the output (possibly 360 truncated) of the chosen digest algorithm. This value SHALL be base64 361 [RFC2045] encoded in the same straightforward fashion as the output 362 of the digest algorithms. Example: the SignatureValue element for the 363 HMAC-MD5 digest 365 9294727A 3638BB1C 13F48EF8 158BFC9D 367 from the test vectors in [RFC2104] would be 369 kpRyejY4uxwT9I74FYv8nQ== 371 Schema Definition: 373 374 375 377 DTD: 379 381 The Schema Definition and DTD immediately above are copied from 382 [RFC3275]. 384 See [RFC6151] for HMAC-MD5 security considerations. 386 2.2.2 HMAC SHA Variations 388 Identifiers: 389 http://www.w3.org/2001/04/xmldsig-more#hmac-sha224 390 http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 391 http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 392 http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 394 SHA-224, SHA-256, SHA-384, and SHA-512 [FIPS180-4] [RFC6234] can also 395 be used in HMAC as described in Section 2.2.1 above for HMAC-MD5. 397 2.2.3 HMAC-RIPEMD160 399 Identifier: 400 http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160 402 RIPEMD-160 [10118-3] can also be used in HMAC as described in Section 403 2.2.1 above for HMAC-MD5. 405 2.2.4 Poly1305 407 Identifier: 408 http://www.w3.org/2021/04/xmldsig-more#poly1305 410 Poly1305 [RFC7539] [Poly1305] is a high-speed message authentication 411 code algorithm. 413 2.2.5 SipHash-2-4 415 Identifier: 416 http://www.w3.org/2021/04/xmldsg-more#siphash-2-4 418 SipHash [SipHash1] [SipHash2] computes a 64-bit MAC from a 128-bit 419 secret key and a variable length message. 421 2.2.6 XMSS and XMSSMT 423 Identifiers: 424 http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-192 425 http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-256 426 http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-192 427 http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-256 428 http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-192 429 http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-256 430 http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-192 431 http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-256 433 XMSS and XMSSMT are stateful hash-based signature schemes 434 [NIST800-208]. 436 2.3 SignatureMethod Public Key Signature Algorithms 438 These algorithms are distinguished from those in Section 2.2 above in 439 that they use public key methods. That is to say, the verification 440 key is different from and not feasibly derivable from the signing 441 key. 443 2.3.1 RSA-MD5 445 Identifier: 446 http://www.w3.org/2001/04/xmldsig-more#rsa-md5 448 This implies the PKCS#1 v1.5 padding algorithm described in 449 [RFC8017]. An example of use is 451 454 The SignatureValue content for an RSA-MD5 signature is the base64 455 [RFC2045] encoding of the octet string computed as per [RFC8017], 456 Section 8.2.1, signature generation for the RSASSA-PKCS1-v1_5 457 signature scheme. As specified in the EMSA-PKCS1-V1_5-ENCODE function 458 in [RFC8017], Section 9.2, the value input to the signature function 459 MUST contain a pre-pended algorithm object identifier for the hash 460 function, but the availability of an ASN.1 parser and recognition of 461 OIDs is not required of a signature verifier. The PKCS#1 v1.5 462 representation appears as: 464 CRYPT (PAD (ASN.1 (OID, DIGEST (data)))) 466 The padded ASN.1 will be of the following form: 468 01 | FF* | 00 | prefix | hash 470 Vertical bar ("|") represents concatenation. "01", "FF", and "00" are 471 fixed octets of the corresponding hexadecimal value, and the asterisk 472 ("*") after "FF" indicates repetition. "hash" is the MD5 digest of 473 the data. "prefix" is the ASN.1 BER MD5 algorithm designator prefix 474 required in PKCS #1 [RFC8017], that is, 476 hex 30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10 478 This prefix is included to make it easier to use standard 479 cryptographic libraries. The FF octet MUST be repeated enough times 480 that the value of the quantity being CRYPTed is exactly one octet 481 shorter than the RSA modulus. 483 See [RFC6151] for MD5 security considerations. 485 2.3.2 RSA-SHA256 487 Identifier: 488 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 490 This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described 491 in Section 2.3.1, but with the ASN.1 BER SHA-256 algorithm designator 492 prefix. An example of use is 494 497 2.3.3 RSA-SHA384 499 Identifier: 500 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 502 This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described 503 in Section 2.3.1, but with the ASN.1 BER SHA-384 algorithm designator 504 prefix. An example of use is 506 509 Because it takes about the same effort to calculate a SHA-384 message 510 digest as it does a SHA-512 message digest, it is suggested that RSA- 511 SHA512 be used in preference to RSA-SHA384 where possible. 513 2.3.4 RSA-SHA512 515 Identifier: 516 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 518 This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described 519 in Section 2.3.1, but with the ASN.1 BER SHA-512 algorithm designator 520 prefix. An example of use is 522 525 2.3.5 RSA-RIPEMD160 527 Identifier: 528 http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160 530 This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described 531 in Section 2.3.1, but with the ASN.1 BER RIPEMD160 algorithm 532 designator prefix. An example of use is 533 537 2.3.6 ECDSA-SHA*, ECDSA-RIPEMD160, ECDSA-Whirlpool 539 Identifiers: 540 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 541 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 542 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 543 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 544 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 545 http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224 546 http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256 547 http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384 548 http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512 549 http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160 550 http://www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool 552 The Elliptic Curve Digital Signature Algorithm (ECDSA) [FIPS186-4] is 553 the elliptic curve analogue of the Digital Signature Algorithm (DSA) 554 signature method, i.e., the Digital Signature Standard (DSS). It 555 takes no explicit parameters. For some detailed specifications of how 556 to use it with SHA hash functions and XML Digital Signature, please 557 see [X9.62] and [RFC4050]. The #sha3-*, #ecdsa-ripemd160, and 558 #ecdsa-whirlpool fragments identify a signature method processed in 559 the same way as specified by the #ecdsa-sha1 fragment, with the 560 exception that SHA3 (see Section 2.1.5), RIPEMD160 or Whirlpool (see 561 Section 2.1.4) is used instead of SHA-1. 563 The output of the ECDSA algorithm consists of a pair of integers 564 usually referred by the pair (r, s). The signature value consists of 565 the base64 encoding of the concatenation of two octet streams that 566 respectively result from the octet encoding of the values r and s in 567 that order. Conversion from integer to octet-stream must be done 568 according to the I2OSP operation defined in the [RFC8017] 569 specification with the l parameter equal to the size of the base 570 point order of the curve in bytes (e.g., 32 for the P-256 curve and 571 66 for the P-521 curve [FIPS186-4]). 573 For an introduction to elliptic curve cryptographic algorithms, see 574 [RFC6090] and note the errata (Errata ID 2773-2777). 576 2.3.7 ESIGN-SHA* 578 Identifiers: 579 http://www.w3.org/2001/04/xmldsig-more#esign-sha1 580 http://www.w3.org/2001/04/xmldsig-more#esign-sha224 581 http://www.w3.org/2001/04/xmldsig-more#esign-sha256 582 http://www.w3.org/2001/04/xmldsig-more#esign-sha384 583 http://www.w3.org/2001/04/xmldsig-more#esign-sha512 585 The ESIGN algorithm specified in [IEEEP1363a] is a signature scheme 586 based on the integer factorization problem. It is much faster than 587 previous digital signature schemes, so ESIGN can be implemented on 588 smart cards without special co-processors. 590 An example of use is 592 596 2.3.8 RSA-Whirlpool 598 Identifier: 599 http://www.w3.org/2007/05/xmldsig-more#rsa-whirlpool 601 As in the definition of the RSA-SHA1 algorithm in [XMLDSIG11], the 602 designator "RSA" means the RSASSA-PKCS1-v1_5 algorithm as defined in 603 [RFC8017]. When identified through the #rsa-whirlpool fragment 604 identifier, Whirlpool is used as the hash algorithm instead. Use of 605 the ASN.1 BER Whirlpool algorithm designator is implied. That 606 designator is 607 hex 30 4e 30 0a 06 06 28 cf 06 03 00 37 05 00 04 40 608 as an explicit octet sequence. This corresponds to OID 609 1.0.10118.3.0.55 defined in [10118-3]. 611 An example of use is 613 617 2.3.9 RSASSA-PSS with Parameters 619 Identifiers: 620 http://www.w3.org/2007/05/xmldsig-more#rsa-pss 621 http://www.w3.org/2007/05/xmldsig-more#MGF1 623 These identifiers use the PKCS#1 EMSA-PSS encoding algorithm 624 [RFC8017]. The RSASSA-PSS algorithm takes the digest method (hash 625 function), a mask generation function, the salt length in bytes 626 (SaltLength), and the trailer field as explicit parameters. 628 Algorithm identifiers for hash functions specified in XML encryption 629 [XMLENC11] [XMLDSIG11] and in Section 2.1 are considered to be valid 630 algorithm identifiers for hash functions. According to [RFC8017], 631 the default value for the digest function is SHA-1, but due to the 632 discovered weakness of SHA-1 [RFC6194], it is recommended that 633 SHA-256 or a stronger hash function be used. Notwithstanding 634 [RFC8017], SHA-256 is the default to be used with these 635 SignatureMethod identifiers if no hash function has been specified. 637 The default salt length for these SignatureMethod identifiers, if the 638 SaltLength is not specified, SHALL be the number of octets in the 639 hash value of the digest method, as recommended in [RFC4055]. In a 640 parameterized RSASSA-PSS signature the ds:DigestMethod and the 641 SaltLength parameters usually appear. If they do not, the defaults 642 make this equivalent to http://www.w3.org/2007/05/xmldsig- 643 more#sha256-rsa-MGF1 (see Section 2.3.10). The TrailerField defaults 644 to 1 (0xBC) when omitted. 646 Schema Definition (target namespace 647 http://www.w3.org/2007/05/xmldsig-more#): 649 650 651 652 Top level element that can be used in xs:any namespace="#other" 653 wildcard of ds:SignatureMethod content. 654 655 656 657 658 659 660 662 664 666 667 668 669 670 671 672 674 676 2.3.10 RSASSA-PSS without Parameters 678 [RFC8017] currently specifies only one mask generation function MGF1 679 based on a hash function. Although [RFC8017] allows for 680 parameterization, the default is to use the same hash function as the 681 digest method function. Only this default approach is supported by 682 this section; therefore, the definition of a mask generation function 683 type is not needed yet. The same applies to the trailer field. There 684 is only one value (0xBC) specified in [RFC8017]. Hence, this default 685 parameter must be used for signature generation. The default salt 686 length is the length of the hash function. 688 Identifiers: 689 http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1 690 http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1 691 http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1 692 http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1 694 http://www.w3.org/2007/05/xmldsig-more#md2-rsa-MGF1 695 http://www.w3.org/2007/05/xmldsig-more#md5-rsa-MGF1 696 http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1 697 http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1 698 http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 699 http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 700 http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 701 http://www.w3.org/2007/05/xmldsig-more#ripemd128-rsa-MGF1 702 http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1 703 http://www.w3.org/2007/05/xmldsig-more#whirlpool-rsa-MGF1 705 An example of use is 707 712 2.3.11 RSA-SHA224 714 Identifier: 715 http://www.w3.org/2001/04/xmldsig-more#rsa-sha224 717 This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described 718 in Section 2.3.1 but with the ASN.1 BER SHA-224 algorithm designator 719 prefix. An example of use is 721 724 Because it takes about the same effort to calculate a SHA-224 message 725 digest as it does a SHA-256 message digest, it is suggested that RSA- 726 SHA256 be used in preference to RSA-SHA224 where possible. 728 See also Appendix B concerning an erroneous version of this URI that 729 appeared in [RFC6931]. 731 2.3.12 Edwards-Curve 733 The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of 734 Schnorr's signature system with Edwards curves. A specification is 735 provided and some advatages listed in [RFC8032]. The general EdDSA 736 takes 11 parameters that must be carefully choosen for secure and 737 efficient operation. Identifiers for two variants, Ed25519 and Ed448, 738 are given below. 740 Ed25519 uses 32 byte public keys and produces 64 byte signatures. It 741 provides about 128 bits of security and uses SHA-512 (see Section 742 2.2.2) as its hash algorithm. 744 Ed448 uses 57 byte public keys and produces 114 byte signatures. It 745 provides about 224 bits of security and uses "SHAKE256" [FIPS202] as 746 its hash algorithm. (SHAKE256 is specified by NIST as an "Extensible 747 Output Function" and not specified or approved by NIST as a secure 748 hash function.) 750 For further information on the variants of EdDSA identified below, 751 see [RFC8032]. 753 Identifiers: 754 http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ph 755 http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ctx 756 http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519 758 http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448 759 http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448ph 761 An example of use is 763 766 2.4 Minimal Canonicalization 768 Thus far, two independent interoperable implementations of Minimal 769 Canonicalization have not been announced. Therefore, when XML 770 Digital Signature was advanced along the Standards Track from 771 [RFC3075] to [RFC3275], Minimal Canonicalization was dropped. 772 However, there is still interest. For its definition, see Section 773 6.5.1 of [RFC3075]. 775 For reference, its identifier remains: 776 http://www.w3.org/2000/09/xmldsig#minimal 778 2.5 Transform Algorithms 780 All CanonicalizationMethod algorithms can also be used as Transform 781 algorithms. 783 2.5.1 XPointer 785 Identifier: 786 http://www.w3.org/2001/04/xmldsig-more#xptr 788 This transform algorithm takes an [XPointer] as an explicit 789 parameter. An example of use is: 791 793 795 xpointer(id("foo")) xmlns(bar=http://foobar.example) 796 xpointer(//bar:Zab[@Id="foo"]) 797 798 800 Schema Definition: 802 804 DTD: 806 808 Input to this transform is an octet stream (which is then parsed into 809 XML). 811 Output from this transform is a node set; the results of the XPointer 812 are processed as defined in the XMLDSIG specification [RFC3275] for a 813 same-document XPointer. 815 2.6 EncryptionMethod Algorithms 817 This subsection gives identifiers and information for several 818 EncryptionMethod Algorithms. 820 2.6.1 ARCFOUR Encryption Algorithm 822 Identifier: 823 http://www.w3.org/2001/04/xmldsig-more#arcfour 825 ARCFOUR is a fast, simple stream encryption algorithm that is 826 compatible with RSA Security's RC4 algorithm [RC4]. An example 827 EncryptionMethod element using ARCFOUR is 829 831 40 832 834 Arcfour makes use of the generic KeySize parameter specified and 835 defined in [XMLENC11]. 837 2.6.2 Camellia Block Encryption 839 Identifiers: 840 http://www.w3.org/2001/04/xmldsig-more#camellia128-cbc 841 http://www.w3.org/2001/04/xmldsig-more#camellia192-cbc 842 http://www.w3.org/2001/04/xmldsig-more#camellia256-cbc 844 Camellia is a block cipher with the same interface as the AES 845 [Camellia] [RFC3713]; it has a 128-bit block size and 128-, 192-, and 846 256-bit key sizes. In XML Encryption Camellia is used in the same way 847 as the AES: It is used in the Cipher Block Chaining (CBC) mode with a 848 128-bit initialization vector (IV). The resulting cipher text is 849 prefixed by the IV. If included in XML output, it is then base64 850 encoded. An example Camellia EncryptionMethod is as follows: 852 857 2.6.3 Camellia Key Wrap 859 Identifiers: 860 http://www.w3.org/2001/04/xmldsig-more#kw-camellia128 861 http://www.w3.org/2001/04/xmldsig-more#kw-camellia192 862 http://www.w3.org/2001/04/xmldsig-more#kw-camellia256 864 Camellia [Camellia] [RFC3713] key wrap is identical to the AES key 865 wrap algorithm [RFC3394] specified in the XML Encryption standard 866 with "AES" replaced by "Camellia". As with AES key wrap, the check 867 value is 0xA6A6A6A6A6A6A6A6. 869 The algorithm is the same whatever the size of the Camellia key used 870 in wrapping, called the "key encrypting key" or "KEK". If Camellia is 871 supported, it is particularly suggested that wrapping 128-bit keys 872 with a 128-bit KEK and wrapping 256-bit keys with a 256-bit KEK be 873 supported. 875 An example of use is: 877 882 2.6.4 PSEC-KEM, RSAES-KEM, and ECIES-KEM 884 Identifiers: 885 http://www.w3.org/2001/04/xmldsig-more#psec-kem 886 http://www.w3.org/2010/xmlsec-ghc#rsaes-kem 887 http://www.w3.org/2010/xmlsec-ghc#ecies-kem 889 These algorithms, specified in [18033-2], are key encapsulation 890 mechanisms using elliptic curve encryption. RSAEA-KEM and ECIES-KEM 891 are also specified in [GENERIC]. 893 An example of use of PAEC-KEM is: 895 897 898 version 899 id 900 curve 901 base 902 order 903 cofactor 904 905 907 See [18033-2] for information on the parameters above. 909 2.6.5 SEED Block Encryption 911 Identifier: 912 http://www.w3.org/2007/05/xmldsig-more#seed128-cbc 914 SEED [RFC4269] is a 128-bit block size with 128-bit key sizes. In XML 915 Encryption, SEED can be used in the Cipher Block Chaining (CBC) mode 916 with a 128-bit initialization vector (IV). The resulting cipher text 917 is prefixed by the IV. If included in XML output, it is then base64 918 encoded. 920 An example SEED EncryptionMethod is as follows: 922 925 2.6.6 SEED Key Wrap 927 Identifier: 928 http://www.w3.org/2007/05/xmldsig-more#kw-seed128 930 Key wrapping with SEED is identical to Section 2.2.1 of [RFC3394] 931 with "AES" replaced by "SEED". The algorithm is specified in 932 [RFC4010]. The implementation of SEED is optional. The default 933 initial value is 0xA6A6A6A6A6A6A6A6. 935 An example of use is: 937 942 2.6.7 ChaCha20 944 Identifier: 945 http://www.w3.org/2021/04/xmldsig-more#chacha20 947 ChaCha20 [RFC7539], a stream cipher, is a variant of Salsa20 948 [ChaCha]. It is considerably faster than AES in software-only 949 implementations. 951 An example of use is: 953 958 2.7 AgreementMethod Algorithms 960 This subsection gives identifiers and information for an additional 961 AgreementMethod Algorithms [XMLENC11]. 963 2.7.1 X25519 Key Agreement 965 Identifier: 966 http://www.w3.org/2021/04/xmldsig-more#x25519 968 The X25519 key agreement algorithm is specified in [RFC7748]. 970 3. KeyInfo 972 In Section 3.1 below a new KeyInfo element child is specified, while 973 in Section 3.2 additional KeyInfo Type values for use in 974 RetrievalMethod are specified. 976 3.1 PKCS #7 Bag of Certificates and CRLs 978 A PKCS #7 [RFC2315] "signedData" can also be used as a bag of 979 certificates and/or certificate revocation lists (CRLs). The 980 PKCS7signedData element is defined to accommodate such structures 981 within KeyInfo. The binary PKCS #7 structure is base64 [RFC2045] 982 encoded. Any signer information present is ignored. The following 983 is an example [RFC3092], eliding the base64 data: 985 987 ... 988 990 3.2 Additional RetrievalMethod Type Values 992 The Type attribute of RetrievalMethod is an optional identifier for 993 the type of data to be retrieved. The result of dereferencing a 994 RetrievalMethod reference for all KeyInfo types with an XML structure 995 is an XML element or document with that element as the root. The 996 various "raw" key information types return a binary value. Thus, they 997 require a Type attribute because they are not unambiguously parsable. 999 Identifiers: 1000 http://www.w3.org/2001/04/xmldsig-more#KeyName 1001 http://www.w3.org/2001/04/xmldsig-more#KeyValue 1002 http://www.w3.org/2001/04/xmldsig-more#PKCS7signedData 1003 http://www.w3.org/2001/04/xmldsig-more#rawPGPKeyPacket 1004 http://www.w3.org/2001/04/xmldsig-more#rawPKCS7signedData 1005 http://www.w3.org/2001/04/xmldsig-more#rawSPKISexp 1006 http://www.w3.org/2001/04/xmldsig-more#rawX509CRL 1007 http://www.w3.org/2001/04/xmldsig-more#RetrievalMethod 1009 4. Indexes 1011 The following subsections provide an index by URI and by fragment 1012 identifier (the portion of the URI after "#") of the algorithm and 1013 KeyInfo URIs defined in this document and in the standards (plus the 1014 one KeyInfo child element name defined in this document). The 1015 "Sec/Doc" column has the section of this document or, if not 1016 specified in this document, the standards document where the item is 1017 specified. See also [XMLSECXREF]. 1019 4.1 Index by Fragment Index 1021 The initial "http://www.w3.org/" part of the URI is not included 1022 below. The first six entries have a null fragment identifier or no 1023 fragment identifier. "{Bad}" indicates a Bad value that was 1024 accidentally included in [RFC6931]. Implementations SHOULD only 1025 generate the correct URI but SHOULD understand both the correct and 1026 erroneous URI. See also Appendix B. 1028 Fragment URI Sec/Doc 1029 --------- ---- -------- 1031 2002/06/xmldsig-filter2 [XPATH] 1032 2006/12/xmlc12n11# {Bad} [CANON11] 1033 2006/12/xmlc14n11# [CANON11] 1034 TR/1999/REC-xslt-19991116 [XSLT] 1035 TR/1999/REC-xpath-19991116 [XPATH] 1036 TR/2001/06/xml-exc-c14n# [XCANON] 1037 TR/2001/REC-xml-c14n-20010315 [CANON10] 1038 TR/2001/REC-xmlschema-1-20010502 [Schema] 1040 aes128-cbc 2001/04/xmlenc#aes128-cbc [XMLENC11] 1041 aes128-gcm 2009/xmlenc11#aes128-gcm [XMLENC11] 1042 aes192-cbc 2001/04/xmlenc#aes192-cbc [XMLENC11] 1043 aes192-gcm 2009/xmlenc11#aes192-gcm [XMLENC11] 1044 aes256-cbc 2001/04/xmlenc#aes256-cbc [XMLENC11] 1045 aes256-gcm 2009/xmlenc11#aes256-gcm [XMLENC11] 1046 arcfour 2001/04/xmldsig-more#arcfour 2.6.1 1048 base64 2000/09/xmldsig#base64 [RFC3275] 1050 camellia128-cbc 2001/04/xmldsig-more#camellia128-cbc 2.6.2 1051 camellia192-cbc 2001/04/xmldsig-more#camellia192-cbc 2.6.2 1052 camellia256-cbc 2001/04/xmldsig-more#camellia256-cbc 2.6.2 1053 chacha20 2021/04/xmldsig-more#chacha20 2.6.7 1054 ConcatKDF 2009/xmlenc11#ConcatKDF [XMLENC11] 1055 decrypt#XML 2002/07/decrypt#XML [DECRYPT] 1056 decrypt#Binary 2002/07/decrypt#Binary [DECRYPT] 1057 DEREncodedKeyValue 2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11] 1058 dh 2001/04/xmlenc#dh [XMLENC11] 1059 dh-es 2009/xmlenc11#dh-es [XMLENC11] 1060 dsa-sha1 2000/09/xmldsig#dsa-sha1 [RFC3275] 1061 dsa-sha256 2009/xmldsig11#dsa-sha256 [XMLDSIG11] 1062 DSAKeyValue 2000/09/xmldsig#DSAKeyValue [XMLDSIG11] 1064 ECDH-ES 2009/xmlenc11#ECDH-ES [XMLENC11] 1065 ecdsa-ripemd160 2007/05/xmldsig-more#ecdsa-ripemd160 2.3.6 1066 ecdsa-sha1 2001/04/xmldsig-more#ecdsa-sha1 2.3.6 1067 ecdsa-sha224 2001/04/xmldsig-more#ecdsa-sha224 2.3.6 1068 ecdsa-sha256 2001/04/xmldsig-more#ecdsa-sha256 2.3.6 1069 ecdsa-sha384 2001/04/xmldsig-more#ecdsa-sha384 2.3.6 1070 ecdsa-sha512 2001/04/xmldsig-more#ecdsa-sha512 2.3.6 1071 ecdsa-sha3-224 2021/04/xmldsig-more#ecdsa-sha3-224 2.3.6 1072 ecdsa-sha3-256 2021/04/xmldsig-more#ecdsa-sha3-256 2.3.6 1073 ecdsa-sha3-384 2021/04/xmldsig-more#ecdsa-sha3-384 2.3.6 1074 ecdsa-sha3-512 2021/04/xmldsig-more#ecdsa-sha3-512 2.3.6 1075 ecdsa-whirlpool 2007/05/xmldsig-more#ecdsa-whirlpool 2.3.5 1076 ecies-kem 2010/xmlsec-ghc#ecies-kem [GENERIC] 1077 ECKeyValue 2009/xmldsig11#ECKeyValue [XMLDSIG11] 1078 eddsa-ed25519 2021/04/xmldsig-more#eddsa-ed25519 2.3.12 1079 eddsa-ed25519ctx 2021/04/xmldsig-more#eddsa-ed25519ctx 2.3.12 1080 eddsa-ed25519ph 2021/04/xmldsig-more#eddsa-ed25519ph 2.3.12 1081 eddsa-ed448 2021/04/xmldsig-more#eddsa-ed448 2.3.12 1082 eddsa-ed448ph 2021/04/xmldsig-more#eddsa-ed448ph 2.3.12 1083 enveloped-signature 2000/09/xmldsig#enveloped-signature [RFC3275] 1084 esign-sha1 2001/04/xmldsig-more#esign-sha1 2.3.7 1085 esign-sha224 2001/04/xmldsig-more#esign-sha224 2.3.7 1086 esign-sha256 2001/04/xmldsig-more#esign-sha256 2.3.7 1087 esign-sha384 2001/04/xmldsig-more#esign-sha384 2.3.7 1088 esign-sha512 2001/04/xmldsig-more#esign-sha512 2.3.7 1090 generic-hybrid 2010/xmlsec-ghc#generic-hybrid [GENERIC] 1092 hmac-md5 2001/04/xmldsig-more#hmac-md5 2.2.1 1093 hmac-ripemd160 2001/04/xmldsig-more#hmac-ripemd160 2.2.3 1094 hmac-sha1 2000/09/xmldsig#hmac-sha1 [RFC3275] 1095 hmac-sha224 2001/04/xmldsig-more#hmac-sha224 2.2.2 1096 hmac-sha256 2001/04/xmldsig-more#hmac-sha256 2.2.2 1097 hmac-sha384 2001/04/xmldsig-more#hmac-sha384 2.2.2 1098 hmac-sha512 2001/04/xmldsig-more#hmac-sha512 2.2.2 1100 KeyName 2001/04/xmldsig-more#KeyName 3.2 1101 KeyValue 2001/04/xmldsig-more#KeyValue 3.2 1102 kw-aes128 2001/04/xmlenc#kw-aes128 [XMLENC11] 1103 kw-aes128-pad 2009/xmlenc11#kw-aes-128-pad [XMLENC11] 1104 kw-aes192 2001/04/xmlenc#kw-aes192 [XMLENC11] 1105 kw-aes192-pad 2009/xmlenc11#kw-aes-192-pad [XMLENC11] 1106 kw-aes256 2001/04/xmlenc#kw-aes256 [XMLENC11] 1107 kw-aes256-pad 2009/xmlenc11#kw-aes-256-pad [XMLENC11] 1108 kw-camellia128 2001/04/xmldsig-more#kw-camellia128 2.6.3 1109 kw-camellia192 2001/04/xmldsig-more#kw-camellia192 2.6.3 1110 kw-camellia256 2001/04/xmldsig-more#kw-camellia256 2.6.3 1111 kw-seed128 2007/05/xmldsig-more#kw-seed128 2.6.6 1113 md2-rsa-MGF1 2007/05/xmldsig-more#md2-rsa-MGF1 2.3.10 1114 md5 2001/04/xmldsig-more#md5 2.1.1 1115 md5-rsa-MGF1 2007/05/xmldsig-more#md5-rsa-MGF1 2.3.10 1116 MGF1 2007/05/xmldsig-more#MGF1 2.3.9 1117 mgf1sha1 2009/xmlenc11#mgf1sha1 [XMLENC11] 1118 mgf1sha224 2009/xmlenc11#mgf1sha224 [XMLENC11] 1119 mgf1sha256 2009/xmlenc11#mgf1sha256 [XMLENC11] 1120 mgf1sha384 2009/xmlenc11#mgf1sha384 [XMLENC11] 1121 mgf1sha512 2009/xmlenc11#mgf1sha512 [XMLENC11] 1122 MgmtData 2000/09/xmldsig#MgmtData [XMLDSIG11] 1123 minimal 2000/09/xmldsig#minimal 2.4 1125 pbkdf2 2009/xmlenc11#pbkdf2 [XMLENC11] 1126 PGPData 2000/09/xmldsig#PGPData [XMLDSIG11] 1127 PKCS7signedData 2001/04/xmldsig-more#PKCS7signedData 3.1 1128 PKCS7signedData 2001/04/xmldsig-more#PKCS7signedData 3.2 1129 poly1305 2021/04/xmldsig-more#poly1305 2.2.4 1130 psec-kem 2001/04/xmldsig-more#psec-kem 2.6.4 1132 rawPGPKeyPacket 2001/04/xmldsig-more#rawPGPKeyPacket 3.2 1133 rawPKCS7signedData 2001/04/xmldsig-more#rawPKCS7signedData 3.2 1134 rawSPKISexp 2001/04/xmldsig-more#rawSPKISexp 3.2 1135 rawX509Certificate 2000/09/xmldsig#rawX509Certificate [RFC3275] 1136 rawX509CRL 2001/04/xmldsig-more#rawX509CRL 3.2 1137 RetrievalMethod 2001/04/xmldsig-more#RetrievalMethod 3.2 1138 ripemd128-rsa-MGF1 2007/05/xmldsig-more#ripemd128-rsa-MGF1 1139 2.3.10 1140 ripemd160 2001/04/xmlenc#ripemd160 [XMLENC11] 1141 ripemd160-rsa-MGF1 2007/05/xmldsig-more#ripemd160-rsa-MGF1 1142 2.3.10 1143 rsa-1_5 2001/04/xmlenc#rsa-1_5 [XMLENC11] 1144 rsa-md5 2001/04/xmldsig-more#rsa-md5 2.3.1 1145 rsa-oaep 2009/xmlenc11#rsa-oaep [XMLENC11] 1146 rsa-oaep-mgf1p 2001/04/xmlenc#rsa-oaep-mgf1p [XMLENC11] 1147 rsa-pss 2007/05/xmldsig-more#rsa-pss 2.3.9 1148 rsa-ripemd160 2001/04/xmldsig-more#rsa-ripemd160 2.3.5 1149 rsa-sha1 2000/09/xmldsig#rsa-sha1 [RFC3275] 1150 rsa-sha224 2007/05/xmldsig-more#rsa-sha224 {Bad} 2.3.11 1151 rsa-sha224 2001/04/xmldsig-more#rsa-sha224 2.3.11 1152 rsa-sha256 2001/04/xmldsig-more#rsa-sha256 2.3.2 1153 rsa-sha384 2001/04/xmldsig-more#rsa-sha384 2.3.3 1154 rsa-sha512 2001/04/xmldsig-more#rsa-sha512 2.3.4 1155 rsa-whirlpool 2007/05/xmldsig-more#rsa-whirlpool 2.3.5 1156 rsaes-kem 2010/xmlsec-ghc#rsaes-kem [GENERIC] 1157 RSAKeyValue 2000/09/xmldsig#RSAKeyValue [XMLDSIG11] 1159 seed128-cbc 2007/05/xmldsig-more#seed128-cbc 2.6.5 1160 sha1 2000/09/xmldsig#sha1 [RFC3275] 1161 sha1-rsa-MGF1 2007/05/xmldsig-more#sha1-rsa-MGF1 2.3.10 1162 sha224 2001/04/xmldsig-more#sha224 2.1.2 1163 sha224-rsa-MGF1 2007/05/xmldsig-more#sha224-rsa-MGF1 2.3.10 1164 sha256 2001/04/xmlenc#sha256 [XMLENC11] 1165 sha256-rsa-MGF1 2007/05/xmldsig-more#sha256-rsa-MGF1 2.3.10 1166 sha3-224 2007/05/xmldsig-more#sha3-224 2.1.5 1167 sha3-224-rsa-MGF1 2007/05/xmldsig-more#sha3-224-rsa-MGF1 2.3.10 1168 sha3-256 2007/05/xmldsig-more#sha3-256 2.1.5 1169 sha3-256-rsa-MGF1 2007/05/xmldsig-more#sha3-256-rsa-MGF1 2.3.10 1170 sha3-384 2007/05/xmldsig-more#sha3-384 2.1.5 1171 sha3-384-rsa-MGF1 2007/05/xmldsig-more#sha3-384-rsa-MGF1 2.3.10 1172 sha3-512 2007/05/xmldsig-more#sha3-512 2.1.5 1173 sha3-512-rsa-MGF1 2007/05/xmldsig-more#sha3-512-rsa-MGF1 2.3.10 1174 sha384 2001/04/xmldsig-more#sha384 2.1.3 1175 sha384-rsa-MGF1 2007/05/xmldsig-more#sha384-rsa-MGF1 2.3.10 1176 sha512 2001/04/xmlenc#sha512 [XMLENC11] 1177 sha512-rsa-MGF1 2007/05/xmldsig-more#sha512-rsa-MGF1 2.3.10 1178 siphash-2-4 2021/04/xmldsig-more#siphash-2-4 2.2.5 1179 SPKIData 2000/09/xmldsig#SPKIData [XMLDSIG11] 1181 tripledes-cbc 2001/04/xmlenc#tripledes-cbc [XMLENC11] 1183 whirlpool 2007/05/xmldsig-more#whirlpool 2.1.4 1184 whirlpool-rsa-MGF1 2007/05/xmldsig-more#whirlpool-rsa-MGF1 1185 2.3.10 1186 WithComments 2006/12/xmlc14n11#WithComments [CANON11] 1187 WithComments TR/2001/06/xml-exc-c14n#WithComments 1188 [XCANON] 1189 WithComments TR/2001/REC-xml-c14n-20010315#WithComments 1190 [CANON10] 1192 x25519 2021/04/xmldsig-more#x25519 2.7.1 1193 X509Data 2000/09/xmldsig#X509Data [XMLDSIG11] 1194 xmss-sha2-192 2021/04/xmldsig-more#xmss-sha2-192 2.2.6 1195 xmss-sha2-256 2021/04/xmldsig-more#xmss-sha2-256 2.2.6 1196 xmss-shake256-192 2021/04/xmldsig-more#xmss-shake256-192 2.2.6 1197 xmss-shake256-256 2021/04/xmldsig-more#xmss-shake256-256 2.2.6 1198 xmssmt-sha2-192 2021/04/xmldsig-more#xmssmt-sha2-192 2.2.6 1199 xmssmt-sha2-256 2021/04/xmldsig-more#xmssmt-sha2-256 2.2.6 1200 xmssmt-shake256-192 2021/04/xmldsig-more#xmssmt-shake256-192 1201 2.2.6 1202 xmssmt-shake256-256 2021/04/xmldsig-more#xmssmt-shake256-256 1203 2.2.6 1204 xptr 2001/04/xmldsig-more#xptr 2.5.1 1205 The initial "http://www.w3.org/" part of the URI is not included 1206 above. 1208 4.2 Index by URI 1210 The initial "http://www.w3.org/" part of the URI is not included 1211 below. "{Bad}" indicates a Bad value that was accidentally included 1212 in [RFC6931]. Implementations SHOULD only generate the correct URI 1213 but SHOULD understand both the correct and erroneous URI. See also 1214 Appendix B. 1216 URI Sec/Doc Type 1217 ---- -------- ----- 1219 2000/09/xmldsig#base64 [RFC3275] Transform 1220 2000/09/xmldsig#DSAKeyValue [RFC3275] Retrieval type 1221 2000/09/xmldsig#dsa-sha1 [RFC3275] SignatureMethod 1222 2000/09/xmldsig#enveloped-signature [RFC3275] Transform 1223 2000/09/xmldsig#hmac-sha1 [RFC3275] SignatureMethod 1224 2000/09/xmldsig#MgmtData [RFC3275] Retrieval type 1225 2000/09/xmldsig#minimal 2.4 Canonicalization 1226 2000/09/xmldsig#PGPData [RFC3275] Retrieval type 1227 2000/09/xmldsig#rawX509Certificate [RFC3275] Retrieval type 1228 2000/09/xmldsig#rsa-sha1 [RFC3275] SignatureMethod 1229 2000/09/xmldsig#RSAKeyValue [RFC3275] Retrieval type 1230 2000/09/xmldsig#sha1 [RFC3275] DigestAlgorithm 1231 2000/09/xmldsig#SPKIData [RFC3275] Retrieval type 1232 2000/09/xmldsig#X509Data [RFC3275] Retrieval type 1234 2001/04/xmldsig-more#arcfour 2.6.1 EncryptionMethod 1235 2001/04/xmldsig-more#camellia128-cbc 2.6.2 EncryptionMethod 1236 2001/04/xmldsig-more#camellia192-cbc 2.6.2 EncryptionMethod 1237 2001/04/xmldsig-more#camellia256-cbc 2.6.2 EncryptionMethod 1238 2001/04/xmldsig-more#ecdsa-sha1 2.3.6 SignatureMethod 1239 2001/04/xmldsig-more#ecdsa-sha224 2.3.6 SignatureMethod 1240 2001/04/xmldsig-more#ecdsa-sha256 2.3.6 SignatureMethod 1241 2001/04/xmldsig-more#ecdsa-sha384 2.3.6 SignatureMethod 1242 2001/04/xmldsig-more#ecdsa-sha512 2.3.6 SignatureMethod 1243 2001/04/xmldsig-more#esign-sha1 2.3.7 SignatureMethod 1244 2001/04/xmldsig-more#esign-sha224 2.3.7 SignatureMethod 1245 2001/04/xmldsig-more#esign-sha256 2.3.7 SignatureMethod 1246 2001/04/xmldsig-more#esign-sha384 2.3.7 SignatureMethod 1247 2001/04/xmldsig-more#esign-sha512 2.3.7 SignatureMethod 1248 2001/04/xmldsig-more#hmac-md5 2.2.1 SignatureMethod 1249 2001/04/xmldsig-more#hmac-ripemd160 2.2.3 SignatureMethod 1250 2001/04/xmldsig-more#hmac-sha224 2.2.2 SignatureMethod 1251 2001/04/xmldsig-more#hmac-sha256 2.2.2 SignatureMethod 1252 2001/04/xmldsig-more#hmac-sha384 2.2.2 SignatureMethod 1253 2001/04/xmldsig-more#hmac-sha512 2.2.2 SignatureMethod 1254 2001/04/xmldsig-more#KeyName 3.2 Retrieval type 1255 2001/04/xmldsig-more#KeyValue 3.2 Retrieval type 1256 2001/04/xmldsig-more#kw-camellia128 2.6.3 EncryptionMethod 1257 2001/04/xmldsig-more#kw-camellia192 2.6.3 EncryptionMethod 1258 2001/04/xmldsig-more#kw-camellia256 2.6.3 EncryptionMethod 1259 2001/04/xmldsig-more#md5 2.1.1 DigestAlgorithm 1260 2001/04/xmldsig-more#PKCS7signedData 3.2 Retrieval type 1261 2001/04/xmldsig-more#psec-kem 2.6.4 EncryptionMethod 1262 2001/04/xmldsig-more#rawPGPKeyPacket 3.2 Retrieval type 1263 2001/04/xmldsig-more#rawPKCS7signedData 3.2 Retrieval type 1264 2001/04/xmldsig-more#rawSPKISexp 3.2 Retrieval type 1265 2001/04/xmldsig-more#rawX509CRL 3.2 Retrieval type 1266 2001/04/xmldsig-more#RetrievalMethod 3.2 Retrieval type 1267 2001/04/xmldsig-more#rsa-md5 2.3.1 SignatureMethod 1268 2001/04/xmldsig-more#rsa-sha224 2.3.11 SignatureMethod 1269 2001/04/xmldsig-more#rsa-sha256 2.3.2 SignatureMethod 1270 2001/04/xmldsig-more#rsa-sha384 2.3.3 SignatureMethod 1271 2001/04/xmldsig-more#rsa-sha512 2.3.4 SignatureMethod 1272 2001/04/xmldsig-more#rsa-ripemd160 2.3.5 SignatureMethod 1273 2001/04/xmldsig-more#sha224 2.1.2 DigestAlgorithm 1274 2001/04/xmldsig-more#sha384 2.1.3 DigestAlgorithm 1275 2001/04/xmldsig-more#xptr 2.5.1 Transform 1276 2001/04/xmldsig-more#PKCS7signedData 3.1 KeyInfo child 1278 2001/04/xmlenc#aes128-cbc [XMLENC11] EncryptionMethod 1279 2001/04/xmlenc#aes192-cbc [XMLENC11] EncryptionMethod 1280 2001/04/xmlenc#aes256-cbc [XMLENC11] EncryptionMethod 1281 2001/04/xmlenc#dh [XMLENC11] AgreementMethod 1282 2001/04/xmlenc#kw-aes128 [XMLENC11] EncryptionMethod 1283 2001/04/xmlenc#kw-aes192 [XMLENC11] EncryptionMethod 1284 2001/04/xmlenc#kw-aes256 [XMLENC11] EncryptionMethod 1285 2001/04/xmlenc#ripemd160 [XMLENC11] DigestAlgorithm 1286 2001/04/xmlenc#rsa-1_5 [XMLENC11] EncryptionMethod 1287 2001/04/xmlenc#rsa-oaep-mgf1p [XMLENC11] EncryptionMethod 1288 2001/04/xmlenc#sha256 [XMLENC11] DigestAlgorithm 1289 2001/04/xmlenc#sha512 [XMLENC11] DigestAlgorithm 1290 2001/04/xmlenc#tripledes-cbc [XMLENC11] EncryptionMethod 1292 2002/06/xmldsig-filter2 [XPATH] Transform 1294 2002/07/decrypt#XML [DECRYPT] Transform 1295 2002/07/decrypt#Binary [DECRYPT] Transform 1297 2006/12/xmlc12n11# {Bad} [CANON11] Canonicalization 1298 2006/12/xmlc14n11# [CANON11] Canonicalization 1299 2006/12/xmlc14n11#WithComments [CANON11] Canonicalization 1300 2007/05/xmldsig-more#ecdsa-ripemd160 2.3.6 SignatureMethod 1301 2007/05/xmldsig-more#ecdsa-whirlpool 2.3.5 SignatureMethod 1302 2007/05/xmldsig-more#kw-seed128 2.6.6 EncryptionMethod 1303 2007/05/xmldsig-more#md2-rsa-MGF1 2.3.10 SignatureMethod 1304 2007/05/xmldsig-more#md5-rsa-MGF1 2.3.10 SignatureMethod 1305 2007/05/xmldsig-more#MGF1 2.3.9 SignatureMethod 1306 2007/05/xmldsig-more#ripemd128-rsa-MGF1 2.3.10 SignatureMethod 1307 2007/05/xmldsig-more#ripemd160-rsa-MGF1 2.3.10 SignatureMethod 1308 2007/05/xmldsig-more#rsa-pss 2.3.9 SignatureMethod 1309 2007/05/xmldsig-more#rsa-sha224 {Bad} 2.3.11 SignatureMethod 1310 2007/05/xmldsig-more#rsa-whirlpool 2.3.5 SignatureMethod 1311 2007/05/xmldsig-more#seed128-cbc 2.6.5 EncryptionMethod 1312 2007/05/xmldsig-more#sha1-rsa-MGF1 2.3.10 SignatureMethod 1313 2007/05/xmldsig-more#sha224-rsa-MGF1 2.3.10 SignatureMethod 1314 2007/05/xmldsig-more#sha256-rsa-MGF1 2.3.10 SignatureMethod 1315 2007/05/xmldsig-more#sha3-224 2.1.5 DigestAlgorithm 1316 2007/05/xmldsig-more#sha3-224-rsa-MGF1 2.3.10 SignatureMethod 1317 2007/05/xmldsig-more#sha3-256 2.1.5 DigestAlgorithm 1318 2007/05/xmldsig-more#sha3-256-rsa-MGF1 2.3.10 SignatureMethod 1319 2007/05/xmldsig-more#sha3-384 2.1.5 DigestAlgorithm 1320 2007/05/xmldsig-more#sha3-384-rsa-MGF1 2.3.10 SignatureMethod 1321 2007/05/xmldsig-more#sha3-512 2.1.5 DigestAlgorithm 1322 2007/05/xmldsig-more#sha3-512-rsa-MGF1 2.3.10 SignatureMethod 1323 2007/05/xmldsig-more#sha384-rsa-MGF1 2.3.10 SignatureMethod 1324 2007/05/xmldsig-more#sha512-rsa-MGF1 2.3.10 SignatureMethod 1325 2007/05/xmldsig-more#whirlpool 2.1.4 DigestAlgorithm 1326 2007/05/xmldsig-more#whirlpool-rsa-MGF1 2.3.10 SignatureMethod 1327 2009/xmlenc11#kw-aes-128-pad [XMLENC11] EncryptionMethod 1328 2009/xmlenc11#kw-aes-192-pad [XMLENC11] EncryptionMethod 1329 2009/xmlenc11#kw-aes-256-pad [XMLENC11] EncryptionMethod 1331 2009/xmldsig11#dsa-sha256 [XMLDSIG11] SignatureMethod 1332 2009/xmldsig11#ECKeyValue [XMLDSIG11] Retrieval type 1333 2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11] Retrieval type 1335 2009/xmlenc11#aes128-gcm [XMLENC11] EncryptionMethod 1336 2009/xmlenc11#aes192-gcm [XMLENC11] EncryptionMethod 1337 2009/xmlenc11#aes256-gcm [XMLENC11] EncryptionMethod 1338 2009/xmlenc11#ConcatKDF [XMLENC11] EncryptionMethod 1339 2009/xmlenc11#mgf1sha1 [XMLENC11] SignatureMethod 1340 2009/xmlenc11#mgf1sha224 [XMLENC11] SignatureMethod 1341 2009/xmlenc11#mgf1sha256 [XMLENC11] SignatureMethod 1342 2009/xmlenc11#mgf1sha384 [XMLENC11] SignatureMethod 1343 2009/xmlenc11#mgf1sha512 [XMLENC11] SignatureMethod 1344 2009/xmlenc11#pbkdf2 [XMLENC11] EncryptionMethod 1345 2009/xmlenc11#rsa-oaep [XMLENC11] EncryptionMethod 1346 2009/xmlenc11#ECDH-ES [XMLENC11] EncryptionMethod 1347 2009/xmlenc11#dh-es [XMLENC11] EncryptionMethod 1348 2010/xmlsec-ghc#generic-hybrid [GENERIC] Generic Hybrid 1349 2010/xmlsec-ghc#rsaes-kem [GENERIC] Generic Hybrid 1350 2010/xmlsec-ghc#ecies-kem [GENERIC] Generic Hybrid 1352 2021/04/xmldsig-more#chacha20 2.6.7 EncrytionMethod 1353 2021/04/xmldsig-more#ecdsa-sha3-224 2.3.6 SignatureMethod 1354 2021/04/xmldsig-more#ecdsa-sha3-256 2.3.6 SignatureMethod 1355 2021/04/xmldsig-more#ecdsa-sha3-384 2.3.6 SignatureMethod 1356 2021/04/xmldsig-more#ecdsa-sha3-512 2.3.6 SignatureMethod 1357 2021/04/xmldsig-more#eddsa-ed25519ph 2.3.12 SignatureMethod 1358 2021/04/xmldsig-more#eddsa-ed25519ctx 2.3.12 SignatureMethod 1359 2021/04/xmldsig-more#eddsa-ed25519 2.3.12 SignatureMethod 1360 2021/04/xmldsig-more#eddsa-ed448 2.3.12 SignatureMethod 1361 2021/04/xmldsig-more#eddsa-ed448ph 2.3.12 SignatureMethod 1362 2021/04/xmldsig-more#po1305 2.2.4 SignatureMethod 1363 2021/04/xmldsig-more#siphash-2-4 2.2.5 SignatureMethod 1364 2021/04/xmldsig-more#x25519 2.7.1 AgreementMethod 1365 2021/04/xmldsig-more#xmss-sha2-192 2.2.6 SignatureMethod 1366 2021/04/xmldsig-more#xmss-sha2-256 2.2.6 SignatureMethod 1367 2021/04/xmldsig-more#xmss-shake256-192 2.2.6 SignatureMethod 1368 2021/04/xmldsig-more#xmss-shake256-256 2.2.6 SignatureMethod 1369 2021/04/xmldsig-more#xmssmt-sha2-192 2.2.6 SignatureMethod 1370 2021/04/xmldsig-more#xmssmt-sha2-256 2.2.6 SignatureMethod 1371 2021/04/xmldsig-more#xmssmt-shake256-192 2.2.6 SignatureMethod 1372 2021/04/xmldsig-more#xmssmt-shake256-256 2.2.6 SignatureMethod 1374 TR/1999/REC-xpath-19991116 [XPATH] Transform 1375 TR/1999/REC-xslt-19991116 [XSLT] Transform 1376 TR/2001/06/xml-exc-c14n# [XCANON] Canonicalization 1377 TR/2001/06/xml-exc-c14n#WithComments 1378 [XCANON] Canonicalization 1379 TR/2001/REC-xml-c14n-20010315 [CANON10] Canonicalization 1380 TR/2001/REC-xml-c14n-20010315#WithComments 1381 [CANON10] Canonicalization 1382 TR/2001/REC-xmlschema-1-20010502 [Schema] Transform 1384 The initial "http://www.w3.org/" part of the URI is not included 1385 above. "{Bad}" indicates a Bad value that was accidentally included 1386 in [RFC6931]. Implementations SHOULD only generate the correct URI 1387 but SHOULD understand both the correct and erroneous URI. See also 1388 Appendix B. 1390 5. Allocation Considerations 1392 W3C and IANA allocation considerations are given below. 1394 5.1 W3C Allocation Considerations 1396 As it is easy for people to construct their own unique URIs [RFC3986] 1397 and, if appropriate, to obtain a URI from the W3C, it is not intended 1398 that any additional "http://www.w3.org/2007/05/xmldsig-more#" URIs be 1399 created. (W3C Namespace stability rules prohibit the creation of new 1400 URIs under "http://www.w3.org/2000/09/xmldsig#" and URIs under 1401 "http://www.w3.org/2001/04/xmldsig-more#" were frozen with the 1402 publication of [RFC4051].) 1404 The W3C has assigned "http://www.w3.org/2021/04/xmldsig-more#" for 1405 additional new URIs specified in this document. 1407 An "xmldsig-more" URI does not imply any official W3C or IETF status 1408 for these algorithms or identifiers nor does it imply that they are 1409 only useful in digital signatures. Currently, dereferencing such 1410 URIs may or may not produce a temporary placeholder document. 1411 Permission to use these URI prefixes has been given by the W3C. 1413 5.2 IANA Considerations 1415 IANA has established a registry entitled "XML Security URIs". The 1416 initial contents correspond to Section 4.2 of this document with each 1417 section number in the "Sec/Doc" column augmented with a reference to 1418 this RFC (for example, "2.6.4" means "[this document], Section 1419 2.6.4"). 1421 New entries, including new Types, will be added based on Expert 1422 Review [RFC8126]. Criterion for inclusion are (1) documentation 1423 sufficient for interoperability of the algorithm or data type and the 1424 XML syntax for its representation and use and (2) sufficient 1425 importance as normally indicated by inclusion in (2a) an approved W3C 1426 Note, Proposed Recommendation, or Recommendation or (2b) an approved 1427 IETF Standards Track document. Typically, the registry will 1428 reference a W3C or IETF document specifying such XML syntax; that 1429 document will either contain a more detailed description of the 1430 algorithm or data type or reference another document with a more 1431 detailed description. 1433 6. Security Considerations 1435 This RFC is concerned with documenting the URIs that designate 1436 algorithms and some data types used in connection with XML security. 1437 The security considerations vary widely with the particular 1438 algorithms, and the general security considerations for XML security 1439 are outside of the scope of this document but appear in [XMLDSIG11], 1440 [XMLENC11], [CANON10], [CANON11], and [GENERIC]. 1442 [RFC6151] should be consulted before considering the use of MD5 as a 1443 DigestMethod or RSA-MD5 as a SignatureMethod. 1445 See [RFC6194] for SHA-1 security considerations and [RFC6151] for MD5 1446 security considerations. 1448 Additional security considerations are given in connection with the 1449 description of some algorithms in the body of this document. 1451 Implementers should be aware that cryptographic algorithms become 1452 weaker with time. As new cryptoanalysis techniques are developed and 1453 computing performance improves, the work factor to break a particular 1454 cryptographic algorithm will decrease. Therefore, cryptographic 1455 implementations should be modular, allowing new algorithms to be 1456 readily inserted. That is, implementers should be prepared for the 1457 set of mandatory-to-implement algorithms for any particular use to 1458 change over time. This is sometimes referred to as "algorithm 1459 agility". 1461 Acknowledgements 1463 The contributions of the following, listed in alphabetic order, by 1464 reporting errata against [RFC6931] or contributing to this document, 1465 are gratefully acknowledged: 1467 Pim van der Eijk, Frederick Hirsch, Gayle Noble, Axel Puhlmann, 1468 Annie Yousar 1470 The contributions of the following, listed in alphabetic order, to 1471 [RFC6931], on which this document is based, are gratefully 1472 acknowledged: 1474 Benoit Claise, Adrian Farrel, Stephen Farrell, Ernst Giessmann, 1475 Frederick Hirsch, Bjoern Hoehrmann, Russ Housley, Satoru Kanno, 1476 Charlie Kaufman, Konrad Lanz, HwanJin Lee, Barry Leiba, Peter 1477 Lipp, Subramanian Moonesamy, Thomas Roessler, Hanseong Ryu, Peter 1478 Saint-Andre, and Sean Turner. 1480 The following contributors to [RFC4051] are gratefully acknowledged: 1482 Glenn Adams, Merlin Hughs, Gregor Karlinger, Brian LaMachia, Shiho 1483 Moriai, Joseph Reagle, Russ Housley, and Joel Halpern. 1485 Appendix A: Changes from RFC 6931 1487 The following changes have been made in RFC 6931 to produce this 1488 document. 1490 1. Delete Appendix on Changes from RFC 4051, since they were already 1491 included in RFC 6931, and remove reference to RFC 4051 and to the 1492 one Errata against RFC 4051. 1494 2. Fix three errata as follows: [Err3597], [Err3965], and [Err4004]. 1495 In cases where [RFC6931] had an erroneous URI, it is still 1496 included in the indices and it is stated that implementations 1497 SHOULD only generate the correct URI but SHOULD understand both 1498 the correct and erroneous URI. 1500 3. Added the following algorithms: 1502 Section Algorithm(s) 1503 ------- ------------ 1504 2.2.4 Poly1305 1505 2.2.5 SipHash-2-4 1506 2.2.6 XMSS amd XMSSMT 1507 2.3.6 ECDSA with SHA3 1508 2.3.12 Edwards-Curve Signatures 1509 2.6.7 ChaCha20 1510 2.7.1 X25519 1512 4. Listed ECIES-KEM and RSAES-KEM in Section 2.6.4 so they are 1513 easier to find even though the URI for them is specified in 1514 [GENERIC]. 1516 5. Updated references for [GENERIC] and FIPS 186, added approriate 1517 references. 1519 6. Minor typo fixes and editorial changes. 1521 Appendix B: Bad URIs 1523 [RFC6931] included two bad URIs as shown below. "{Bad}" in the 1524 indexes (Section 4.1 and 4.2) indicates such a Bad value. 1525 Implementations SHOULD only generate the correct URI but SHOULD 1526 understand both the correct and erroneous URI. 1528 2006/12/xmlc12n11# 1529 Appears in the indices (Section 4.1 and 4.2] of [RFC6931] when it 1530 should be "2006/12/xmlc14n11#" (i.e., "12" should have been 1531 "14"). This is [Err3965] and is corrected in this document. 1533 2007/05/xmldsig-more#rsa-sha224 1534 Appears in the indices (Section 4.1 and 4.2] of [RFC6931] when it 1535 should be "2001/04/xmldsig-more#rsa-sha224". This is [Err4004] 1536 and is corrected in this document. 1538 Appendix Z: Change History 1540 RFC Editor Note: Please delete this Appendix before publication. 1542 -00 to -01 to -02 to -03 to -04 to -05 to -06 to -07 to -08 1544 Bump up version and date to keep draft alive as a place where new 1545 URIs can be accumulated. At some point in here, author address was 1546 updated. 1548 -08 to -09 to -10 1550 Update author affiliation and references. 1552 -10 to -11 1554 Update author address. 1556 -11 to -12 1558 Bump up version and date to keep draft alive. 1560 -12 to -13 1562 Numerous editorial/typo fixes thanks to Gayle Noble who is added to 1563 the acknowledgements section. 1565 -13 to -14 1567 Numerous additional algorithms almost all as requested by Pim van der 1568 Eijk who is added to the acknowledgements section. Update and add 1569 references. 1571 -14 to -15 1573 Add URLs for ECDSA with SHA3, SipHash-2-4, X25519, XMSS and XMSSMT. 1574 Add RFC reference 5869 for HKDF but not yet added elsewhere in the 1575 document. 1577 Normative References 1579 [10118-3] - ISO, "Information technology -- Security techniques -- 1580 Hash-functions -- Part 3: Dedicated hash-functions", ISO/IEC 1581 10118-3:2004, 2004. 1583 [18033-2] - ISO, "Information technology -- Security techniques -- 1584 Encryption algorithms -- Part 3: Asymmetric ciphers", ISO/IEC 1585 18033-2:2010, 2010. 1587 [Camellia] - Aoki, K., Ichikawa, T., Matsui, M., Moriai, S., 1588 Nakajima, J., and T. Tokita, "Camellia: A 128-bit Block Cipher 1589 Suitable for Multiple Platforms - Design and Analysis", in 1590 Selected Areas in Cryptography, 7th Annual International 1591 Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in 1592 Computer Science 2012, pp. 39-56, Springer-Verlag, 2001. 1594 [FIPS180-4] - US National Institute of Science and Technology, 1595 "Secure Hash Standard (SHS)", FIPS 180-4, March 2012, 1596 . 1599 [FIPS186-4] - US National Institute of Science and Technology, 1600 "Digital Signature Standard (DSS)", FIPS 186-4, July 2013, 1601 . 1603 [FIPS202] - US National Institute of Science and Technology, "SHA-3 1604 Standard: Permutation-Based Hash and Extendable-Output 1605 Functions", FIPS 202, August 2015, 1606 . 1608 [IEEEP1363a] - IEEE, "Standard Specifications for Public Key 1609 Cryptography- Amendment 1: Additional Techniques", IEEE 1610 1363a-2004, 2004. 1612 [NIST800-208] - US National Institute of Science and Technology, 1613 "Recommendation for Stateful Hash-Based Signature Schemes", 1614 NIST 800-208, Otober 202, 1615 . 1617 [RC4] - Schneier, B., "Applied Cryptography: Protocols, Algorithms, 1618 and Source Code in C", Second Edition, John Wiley and Sons, New 1619 York, NY, 1996. 1621 [RFC1321] - Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 1622 April 1992. 1624 [RFC2045] - Freed, N. and N. Borenstein, "Multipurpose Internet Mail 1625 Extensions (MIME) Part One: Format of Internet Message Bodies", 1626 RFC 2045, November 1996. 1628 [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 1629 Hashing for Message Authentication", RFC 2104, February 1997. 1631 [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate 1632 Requirement Levels", BCP 14, RFC 2119, March 1997. 1634 [RFC2315] - Kaliski, B., "PKCS #7: Cryptographic Message Syntax 1635 Version 1.5", RFC 2315, March 1998. 1637 [RFC3275] - Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible 1638 Markup Language) XML-Signature Syntax and Processing", RFC 1639 3275, March 2002. 1641 [RFC3394] - Schaad, J. and R. Housley, "Advanced Encryption Standard 1642 (AES) Key Wrap Algorithm", RFC 3394, September 2002. 1644 [RFC3713] - Matsui, M., Nakajima, J., and S. Moriai, "A Description 1645 of the Camellia Encryption Algorithm", RFC 3713, April 2004. 1647 [RFC3986] - Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1648 Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, 1649 January 2005. 1651 [RFC4050] - Blake-Wilson, S., Karlinger, G., Kobayashi, T., and Y. 1652 Wang, "Using the Elliptic Curve Signature Algorithm (ECDSA) for 1653 XML Digital Signatures", RFC 4050, April 2005. 1655 [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional 1656 Algorithms and Identifiers for RSA Cryptography for use in the 1657 Internet X.509 Public Key Infrastructure Certificate and 1658 Certificate Revocation List (CRL) Profile", RFC 4055, June 1659 2005. 1661 [RFC4269] - Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The 1662 SEED Encryption Algorithm", RFC 4269, December 2005. 1664 [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and- 1665 Expand Key Derivation Function (HKDF)", RFC 5869, DOI 1666 10.17487/RFC5869, May 2010, . 1669 [RFC6234] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash 1670 Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 1671 2011. 1673 [RFC7539] - Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF 1674 Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, 1675 . 1677 [RFC7748] - Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1678 for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, 1679 . 1681 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, 1682 "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 1683 8017, DOI 10.17487/RFC8017, November 2016, . 1686 [RFC8032] - Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 1687 Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, 1688 January 2017, . 1690 [RFC8126] - Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1691 Writing an IANA Considerations Section in RFCs", BCP 26, RFC 1692 8126, DOI 10.17487/RFC8126, June 2017, . 1695 [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1696 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 1697 2017, . 1699 [SipHash1] - Aumasson, J. and D. Bernstein, "SipHash: A Fast Short- 1700 Input PRF", Progress in Cryptology - INDOCRYPT 2012, Lecture 1701 Notes in Computer Science, vol. 7668, December 2012, 1702 . 1704 [SipHash2] - Aumasson, J. and D. Bernstein, "SipHash: A Fast Short- 1705 Input PRF", Department of Computer Science, Iniversity of 1706 Illinois at Chicago, 1707 . 1709 [X9.62] - American National Standards Institute, Accredited Standards 1710 Committee X9, "Public Key Cryptography for the Financial 1711 Services Industry: The Elliptic Curve Digital Signature 1712 Algorithm (ECDSA)", ANSI X9.62:2005, 2005. 1714 [XMLENC10] - Reagle, J. and D. Eastlake, "XML Encryption Syntax and 1715 Processing", W3C Recommendation, 10 December 2002, 1716 . 1718 [XMLENC11] - Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler, 1719 "XML Encryption Syntax and Processing Version 1.1", W3C 1720 Proposed Recommendation, 11 April 2013, 1721 . 1723 [XPointer] - Grosso, P., Maler, E., Marsh, J., and N. Walsh, 1724 "XPointer Framework", W3C Recommendation, 25 March 2003, 1725 . 1727 Informational References 1729 [CANON10] - Boyer, J., "Canonical XML Version 1.0", W3C 1730 Recommendation, 15 March 2001, . 1733 [CANON11] - Boyer, J., and G. Marcy, "Canonical XML Version 1.1", W3C 1734 Recommendation, 2 May 2008, . 1737 [ChaCha] - Bernstein, D., "ChaCha, a variant of Salsa20", January 1738 2008, . 1740 [DECRYPT] - Hughes, M., Imamura, T., and H. Maruyama, "Decryption 1741 Transform for XML Signature", W3C Recommendation, 10 December 1742 2002, . 1744 [Err3597] - RFC Errata, Errata ID 3597, RFC 6931, . 1747 [Err3965] - RFC Errata, Errata ID 3965, RFC 6931, . 1750 [Err4004] - RFC Errata, Errata ID 4004, RFC 6931, . 1753 [GENERIC] - Nystrom, M. and F. Hirsch, "XML Security Generic Hybrid 1754 Ciphers", W3C Working Group Note, 11 April 2013, 1755 . 1757 [Keccak] - Bertoni, G., Daeman, J., Peeters, M., and G. Van Assche, 1758 "The KECCAK sponge function family", January 2013, 1759 . 1761 [Poly1305] - Bernstein, D., "The Poly1305-AES message-authentication 1762 code", March 2005, . 1764 [RFC3075] - Eastlake 3rd, D., Reagle, J., and D. Solo, "XML-Signature 1765 Syntax and Processing", RFC 3075, March 2001. 1767 [RFC3076] - Boyer, J., "Canonical XML Version 1.0", RFC 3076, March 1768 2001. 1770 [RFC3092] - Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology 1771 of "Foo"", RFC 3092, April 1 2001. 1773 [RFC3741] - Boyer, J., Eastlake 3rd, D., and J. Reagle, "Exclusive 1774 XML Canonicalization, Version 1.0", RFC 3741, March 2004. 1776 [RFC4010] - Park, J., Lee, S., Kim, J., and J. Lee, "Use of the SEED 1777 Encryption Algorithm in Cryptographic Message Syntax (CMS)", 1778 RFC 4010, February 2005. 1780 [RFC4051] - Eastlake 3rd, D., "Additional XML Security Uniform 1781 Resource Identifiers (URIs)", RFC 4051, April 2005. 1783 [RFC6090] 1784 - D. McGrew, K. Igoe, M. Salter, "Fundamental Elliptic Curve 1785 Cryptography Algorithms", RFC 6090, February 2011. 1786 - Note RFC Errata numbers 2773, 2774, 2775, 2776, and 2777. 1788 [RFC6151] - Turner, S. and L. Chen, "Updated Security Considerations 1789 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC 1790 6151, March 2011. 1792 [RFC6194] - Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security 1793 Considerations for the SHA-0 and SHA-1 Message-Digest 1794 Algorithms", RFC 6194, March 2011. 1796 [RFC6931] - Eastlake 3rd, D., "Additional XML Security Uniform 1797 Resource Identifiers (URIs)", RFC 6931, April 2013, 1798 . 1800 [Schema] - Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, 1801 "XML Schema Part 1: Structures Second Edition", W3C 1802 Recommendation, 28 October 2004, 1803 . 1804 - Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes 1805 Second Edition", W3C Recommendation, 28 October 2004, 1806 . 1808 [SHA-3] - US National Institute of Science and Technology, "SHA-3 1809 WINNER", February 2013, . 1812 [W3C] - World Wide Web Consortium, . 1814 [XCANON] - Boyer, J., Eastlake, D., and J. Reagle, "Exclusive XML 1815 Canonicalization Version 1.0", W3C Recommendation, 18 July 1816 2002, . 1818 [XMLDSIG10] - Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and T. 1819 Roessler, "XML Signature Syntax and Processing (Second 1820 Edition)", W3C Recommendation, 10 June 2008, 1821 ./ 1823 [XMLDSIG11] - Eastlake, D., Reagle, J., Solo, D., Hirsch, F., 1824 Nystrom, M., Roessler, T., and K. Yiu, "XML Signature Syntax 1825 and Processing Version 1.1", W3C Proposed Recommendation, 11 1826 April 2013, . 1828 [XMLDSIG-PROP] - Hirsch, F., "XML Signature Properties", W3C Proposed 1829 Recommendation, 24 January 2013, . 1832 [XMLSEC] - Eastlake, D., and K. Niles, "Secure XML: The New Syntax 1833 for Signatures and Encryption", Addison-Wesley (Pearson 1834 Education), 2003, ISBN 0-201-75605-6. 1836 [XMLSECXREF] - Hirsch, F., Roessler, T., and K. Yiu, "XML Security 1837 Algorithm Cross-Reference", W3C Working Group Note, 24 January 1838 2013, . 1841 [XPATH] - Boyer, J., Hughes, M., and J. Reagle, "XML-Signature XPath 1842 Filter 2.0", W3C Recommendation, 8 November 2002, 1843 . 1844 - Berglund, A., Boag, S., Chamberlin, D., Fernandez, M., Kay, 1845 M., Robie, J., and J. Simeon, "XML Path Language (XPath) 2.0 1846 (Second Edition)", W3C Recommendation, 14 December 2010, 1847 . 1849 [XSLT] - Saxonica, M., "XSL Transformations (XSLT) Version 2.0", W3C 1850 Recommendation, 23 January 2007, 1851 . 1853 Author's Address 1855 Donald E. Eastlake 3rd 1856 Futurewei Technologies, Inc. 1857 2386 Panoramic Circle 1858 Apopka, FL 32703 USA 1860 Phone: +1-508-333-2270 1861 EMail: d3e3e3@gmail.com 1863 Copyright, Disclaimer, and Additional IPR Provisions 1865 Copyright (c) 2021 IETF Trust and the persons identified as the 1866 document authors. All rights reserved. 1868 This document is subject to BCP 78 and the IETF Trust's Legal 1869 Provisions Relating to IETF Documents 1870 (http://trustee.ietf.org/license-info) in effect on the date of 1871 publication of this document. Please review these documents 1872 carefully, as they describe your rights and restrictions with respect 1873 to this document. Code Components extracted from this document must 1874 include Simplified BSD License text as described in Section 4.e of 1875 the Trust Legal Provisions and are provided without warranty as 1876 described in the Simplified BSD License. The definitive version of 1877 an IETF Document is that published by, or under the auspices of, the 1878 IETF. Versions of IETF Documents that are published by third parties, 1879 including those that are translated into other languages, should not 1880 be considered to be definitive versions of IETF Documents. The 1881 definitive version of these Legal Provisions is that published by, or 1882 under the auspices of, the IETF. Versions of these Legal Provisions 1883 that are published by third parties, including those that are 1884 translated into other languages, should not be considered to be 1885 definitive versions of these Legal Provisions. For the avoidance of 1886 doubt, each Contributor to the IETF Standards Process licenses each 1887 Contribution that he or she makes as part of the IETF Standards 1888 Process to the IETF Trust pursuant to the provisions of RFC 5378. No 1889 language to the contrary, or terms, conditions or rights that differ 1890 from or are inconsistent with the rights and licenses granted under 1891 RFC 5378, shall have any effect and shall be null and void, whether 1892 published or posted by such Contributor, or included with or in such 1893 Contribution.