This document should not be considered as design. It is purely an input into the design meeting in Feb 2013. It may then become an input into an eventual design document.

Current State of XML Signature / Encryption

SHA-1 is being deprecated in favor of SHA-2 (256 primarily).

RSA > 4096 is viewed as diminishing returns.

ECDSA supported by Java 6+, xmlsec 1.5+, but compiled out of every Red Hat OpenSSL release.

RSA-PKCS 1.5 key transport is vulnerable to key recovery.

AES-CBC encryption is vulnerable to plaintext recovery via chosen ciphertext unless signing is done.

AES-GCM unsupported by Java w/o Bouncy Castle (untested with), unsupported by OpenSSL < 1.0.1

Open

What changes to defaults do we want or need to make?

See Message Level Security, an old document discussing issues connected to changing defaults related to signing.

What mechanism do we have or want to have for blacklisting or whitelisting algorithms?

Are there algorithms we need to block? Should we enforce minimum key sizes?