Peter, Peter Sylvester schrieb:
But what is actually needed by a policy checker? it doesn't even
know keylength or hash size or whatever else. It only has to
know that for each algorithm there are some values defined.
I think one should have an approach like in Mibs in SNMP so
one would say (now in XML) something like
<Algorithm Name="urifor RSA" Oid="xxx">
<param>1024</param>
<param>4096</param>
</Algorithm>
I'm not sure whether I understand your suggestion.In your example above, you suggest to have simply a list of all currently valid key lengths? But where do you have the validity periods of the particular values (key lengths)? A second problem I see is, that some algorithms are defined by more than one parameter (e.g. DSA: 'p' and 'q'). So in the XML encoding, you have to distinguish the different parameters (e.g. via its name).
in a policy one would only specify value constraints parameters for an actual algorithms,a kind of pattern which can always be checked, examplefirst parameter must be greater than 1023, second less than 8192 or whatever.
>Do you mean to encode this pattern in XML? And for example such a pattern would say: 'If a value of 1024 is valid, every value greater than 1024 is also valid'?
In principle I agree with you. We are also discussing the problem which arises if new algorithms are added (see Susanne's mail which also addresses this topic).
Thomas
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature