OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xri] SimpleSign Implementation




Ben Laurie wrote:
> On Mon, Dec 22, 2008 at 1:29 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
>   
>> Hi.
>>
>> No, it si not silly. It is a good question to ask.
>>
>> My answer would be:
>>
>> a) TLS is only a security for the pipes. It does not protect the message per
>> se.
>>  With a signed document, you can verify the authenticity and validity of a
>> cache / detached document.
>> b) TLS requires a dedicated IP address. Sites like Google providing services
>> to
>>  the companies in the companies' domain do not have enough IP address to
>> server TLS.
>>  This is another reason.
>>     
>
> This is not actually true anymore - you can use the SNI extension to
> share an IP address. Because legacy browsers don't support it, it
> isn't so great for websites, but for a specialist application like
> retrieving XRD it would work just fine.
>   
Are they implemented widely in common scripting language libraries?
Are they implemented widely in the current http servers?
>   
>> c) There are not enough XMLDSIG implementations yet, and it is complex to
>> implement yourself.
>>  This is becoming a hinderance to the adoption.
>>
>> a) and b) calls for a message based protection. This calls for something
>> like XML Dsig.
>> c) Calls for something simpler than XML Dsig.
>>     
>
> Or more implementations.
>   
Yes. And we are not seeing these yet, unfortunately.
(BTW, that's another initiative I am willing to run when I get more 
bandwidth.)
>   
>> Therefore, we have SimpleSign.
>>
>> Regards,
>>
>> =nat
>>
>> Joseph Anthony Pasquale Holsten wrote:
>>     
>>> I'm trying to wrap my head around the security implications of
>>> SimpleSign, and I'm wondering where exactly it is better than TLS or
>>> XMLDSIG.
>>>
>>> While SimpleSign is designed to be easy to implement, it still has
>>> less implementations than TLS, or even XMLDSIG. There is also less
>>> existing security analysis, test cases, &c.
>>>
>>> The certificate from SimpleSign is X509, so depends upon the support
>>> of a CA. A certificate will only be valid if the subject applies to
>>> the CannonicalID. Getting such a certificate will cost the same as a
>>> TLS certificate, if they are not the identical.
>>>
>>> Why should I use a SimpleSign implementation instead of TLS or XMLDSIG?
>>>
>>> Some possible answers:
>>> * You shouldn't. (NO!!!)
>>> * Using TLS would require either all resources must be encrypted and
>>> sign (significant overhead), or that the XRD must be available under
>>> TLS while other resources may not (significant complexity).
>>>  * Using TLS means that an XRD cannot be provided under restrictive
>>> hosting environments, as it cannot be implemented by uploading a PHP
>>> script over FTP.
>>> * Using XMLDSIG requires either a custom implementation (error
>>> prone), or support for a known-good implementation (restricted
>>> environments).
>>> * SimpleSign is simple enough that an amateur can implement it
>>> without worry of error, is easy to host, and allows flexible security
>>> for other resources.
>>>
>>> http://josephholsten.com
>>>
>>> PS. I'm still trying to get up to speed with everything in XRI, so
>>> I'm sorry if I ask silly questions
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>>     


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]