Re: [security-services] SAML simplesign useful in practice?

[George Fletcher <george.fletcher@corp.aol.com>]

Well... I know that Orange in France has implemented simplesign and uses 
it according to the spec. I don't know any data regarding usage. At AOL 
we use the simplesign algorithm but since we use it for server-to-server 
calls it's not fully spec compliant (note that simplesign is tied to the 
use of a user-agent). Given that simplesign is based on just signing the 
XML "string" we have seen partners use scripts (e.g. perl and ssh) to do 
the signing and submit messages. Having a simple script that can do the 
signing has proved useful in helping partners get the signature part 
correct.

Good libraries in all the major development languages (including web 
development like php, ruby, python, erlang, etc) and some simple command 
line tools/scripts could probably mitigate the need for SimpleSign.  The 
issue with libraries is that they have to be integrated into code, and 
the library design can have an impact on how easy/hard that integration 
is. So, being able to easily script the signing is pretty critical to 
adoption.

Thinking out loud... if there was a command line utility that took an 
XML document and it's XSD(s) and was able to construct the output XML 
document with embedded signature (and the equivalent decode mech) this 
might suffice for those environment where scripting is critical. Just 
not sure how easy it would be to generate such a tool. I know that when 
trying to get tooling libraries like xmlbeans or axis to build code, 
just getting all the right XSDs in some place that the tooling can find 
is tedious/complicated.

The purist in me would prefer to standardize on XMLdsig :) However, 
seeing how many problems partners have had getting the signature right 
(albeit once its figured out it doesn't tend to be a recurring problem), 
the pragmatic in me is a little concerned that without the right tools 
we won't able to on-board as many partners.

Thanks,
George


RL 'Bob' Morgan wrote:
>
> Over in the XRI TC there is a design item to be finished regarding 
> signing of XRD documents, and the perhaps predictable discussion of 
> whether specifying XML DSIG would be a barrier to adoption, hence 
> whether to specify something similar to the SAML simplesign method.  
> In fact the existence of SAML simplesign is held up as evidence that 
> DSIG is a problem, and of course that is indeed the justification for 
> simplesign.  I think the most compelling part of the argument was that 
> implementations of DSIG for some popular scripting languages (eg PHP) 
> were lacking, creating the adoption problem.
>
> So the questions being asked of the SAML community are (a) whether 
> simplesign has been implemented and deployed and has enabled more 
> adoption as intended; and (b) whether, at this late date, acceptable 
> XML DSIG implementations now exist for all those languages such that 
> signing via DSIG isn't a problem any more (which might explain why the 
> simplesign doc is still at CD stage perhaps).
>
> Does anyone here have any observations or opinions on this?
>
>  - RL "Bob"
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php