[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] SimpleSign Implementation
On Mon, Dec 22, 2008 at 1:29 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote: > Hi. > > No, it si not silly. It is a good question to ask. > > My answer would be: > > a) TLS is only a security for the pipes. It does not protect the message per > se. > With a signed document, you can verify the authenticity and validity of a > cache / detached document. > b) TLS requires a dedicated IP address. Sites like Google providing services > to > the companies in the companies' domain do not have enough IP address to > server TLS. > This is another reason. This is not actually true anymore - you can use the SNI extension to share an IP address. Because legacy browsers don't support it, it isn't so great for websites, but for a specialist application like retrieving XRD it would work just fine. > c) There are not enough XMLDSIG implementations yet, and it is complex to > implement yourself. > This is becoming a hinderance to the adoption. > > a) and b) calls for a message based protection. This calls for something > like XML Dsig. > c) Calls for something simpler than XML Dsig. Or more implementations. > > Therefore, we have SimpleSign. > > Regards, > > =nat > > Joseph Anthony Pasquale Holsten wrote: >> >> I'm trying to wrap my head around the security implications of >> SimpleSign, and I'm wondering where exactly it is better than TLS or >> XMLDSIG. >> >> While SimpleSign is designed to be easy to implement, it still has >> less implementations than TLS, or even XMLDSIG. There is also less >> existing security analysis, test cases, &c. >> >> The certificate from SimpleSign is X509, so depends upon the support >> of a CA. A certificate will only be valid if the subject applies to >> the CannonicalID. Getting such a certificate will cost the same as a >> TLS certificate, if they are not the identical. >> >> Why should I use a SimpleSign implementation instead of TLS or XMLDSIG? >> >> Some possible answers: >> * You shouldn't. (NO!!!) >> * Using TLS would require either all resources must be encrypted and >> sign (significant overhead), or that the XRD must be available under >> TLS while other resources may not (significant complexity). >> * Using TLS means that an XRD cannot be provided under restrictive >> hosting environments, as it cannot be implemented by uploading a PHP >> script over FTP. >> * Using XMLDSIG requires either a custom implementation (error >> prone), or support for a known-good implementation (restricted >> environments). >> * SimpleSign is simple enough that an amateur can implement it >> without worry of error, is easy to host, and allows flexible security >> for other resources. >> >> http://josephholsten.com >> >> PS. I'm still trying to get up to speed with everything in XRI, so >> I'm sorry if I ask silly questions >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]