[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] SimpleSign Implementation
On Wed, Dec 24, 2008 at 3:16 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote: > > > Ben Laurie wrote: >> >> On Mon, Dec 22, 2008 at 1:29 AM, Nat Sakimura <n-sakimura@nri.co.jp> >> wrote: >> >>> >>> Hi. >>> >>> No, it si not silly. It is a good question to ask. >>> >>> My answer would be: >>> >>> a) TLS is only a security for the pipes. It does not protect the message >>> per >>> se. >>> With a signed document, you can verify the authenticity and validity of >>> a >>> cache / detached document. >>> b) TLS requires a dedicated IP address. Sites like Google providing >>> services >>> to >>> the companies in the companies' domain do not have enough IP address to >>> server TLS. >>> This is another reason. >>> >> >> This is not actually true anymore - you can use the SNI extension to >> share an IP address. Because legacy browsers don't support it, it >> isn't so great for websites, but for a specialist application like >> retrieving XRD it would work just fine. >> > > Are they implemented widely in common scripting language libraries? Yes. > Are they implemented widely in the current http servers? Yes. >> >> >>> >>> c) There are not enough XMLDSIG implementations yet, and it is complex to >>> implement yourself. >>> This is becoming a hinderance to the adoption. >>> >>> a) and b) calls for a message based protection. This calls for something >>> like XML Dsig. >>> c) Calls for something simpler than XML Dsig. >>> >> >> Or more implementations. >> > > Yes. And we are not seeing these yet, unfortunately. > (BTW, that's another initiative I am willing to run when I get more > bandwidth.) >> >> >>> >>> Therefore, we have SimpleSign. >>> >>> Regards, >>> >>> =nat >>> >>> Joseph Anthony Pasquale Holsten wrote: >>> >>>> >>>> I'm trying to wrap my head around the security implications of >>>> SimpleSign, and I'm wondering where exactly it is better than TLS or >>>> XMLDSIG. >>>> >>>> While SimpleSign is designed to be easy to implement, it still has >>>> less implementations than TLS, or even XMLDSIG. There is also less >>>> existing security analysis, test cases, &c. >>>> >>>> The certificate from SimpleSign is X509, so depends upon the support >>>> of a CA. A certificate will only be valid if the subject applies to >>>> the CannonicalID. Getting such a certificate will cost the same as a >>>> TLS certificate, if they are not the identical. >>>> >>>> Why should I use a SimpleSign implementation instead of TLS or XMLDSIG? >>>> >>>> Some possible answers: >>>> * You shouldn't. (NO!!!) >>>> * Using TLS would require either all resources must be encrypted and >>>> sign (significant overhead), or that the XRD must be available under >>>> TLS while other resources may not (significant complexity). >>>> * Using TLS means that an XRD cannot be provided under restrictive >>>> hosting environments, as it cannot be implemented by uploading a PHP >>>> script over FTP. >>>> * Using XMLDSIG requires either a custom implementation (error >>>> prone), or support for a known-good implementation (restricted >>>> environments). >>>> * SimpleSign is simple enough that an amateur can implement it >>>> without worry of error, is easy to host, and allows flexible security >>>> for other resources. >>>> >>>> http://josephholsten.com >>>> >>>> PS. I'm still trying to get up to speed with everything in XRI, so >>>> I'm sorry if I ask silly questions >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe from this mail list, you must leave the OASIS TC that >>>> generates this mail. Follow this link to all your TCs in OASIS at: >>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe from this mail list, you must leave the OASIS TC that >>> generates this mail. Follow this link to all your TCs in OASIS at: >>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >>> >>> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]