[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] xml dsig profile
I was pretty unhappy with specifying XML DSig years ago when we weren't sure that implementations would be out there. Fast forward a few years, and its clear to me that XML DSig is not really well implemented and I'm happy to see other signature mechanisms in place. One reason that XML DSig canonicalization exists, however, is because XML defines equality between two fragments where those two fragments may differ in the way they are serialized. And why allow serializations to differ? Because many libraries that input/output/process XML take liberty in rewriting XML as theyprocess it. Namespaces are the big area where this happens - libraries frequrently rewrite the namespace qualifier (which is supposed to be arbitrary within a document anyway). This allows app developers to use standard libraries to do XML processing, while still being able to apply signatures -- "cutting and pasting" a block into an XML document is an example. AFAICT, alternate signature mechanisms like SimpleSign won't allow for alternate serializations, which is fine, but lets recognize that this may make some processing more complicated because application developers can't have the assurance that the libs they are using will preserve the octets as the XML is processed (e.g. copied from document to another, for example). -Gabe On Fri, Feb 6, 2009 at 4:54 PM, Brian Eaton <beaton@google.com> wrote: > On Fri, Feb 6, 2009 at 3:30 PM, Sakimura Nat <n-sakimura@nri.co.jp> wrote: >> I would also like to hear an input from people in SSTC on the rational they came up with Simple Sign. > > Absolutely. Peter was going to ping them. I'm really hoping they can > comment. I'd like to hear from the authors of XML DSIG as well. > >> Also, note that XML Dsig implementation on the scripting languages are wrappers on C library, and it may not be feasible to use them in many hostin environment. So, we might want to take this into consideration as well. > > Agreed, those libraries are for the truly desperate. > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > -- Gabe Wachob / gwachob@wachob.com \ http://blog.wachob.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]