Re: [xri] XML DSig

[George Fletcher <george.fletcher@corp.aol.com>]

Basically, the desire was to use a signing mechanism like that enabled 
with the SAML Simple Sign binding. This requires no canonicalization and 
is easy to implement in scripts. Note that perl and ssh are great tools 
for testing this kind of signing. Good library support may be possible 
for php and java... but it really needs to carry over to all the other 
languages like ruby, python, perl, et. al. This is where the 
canonicalization does become "hard". That said, I'm not totally opposed 
to using XMLDSig if that's where the TC goes, but I do think it will 
slow down adoption in the non-mainstream languages.

Thanks,
George

Will Norris wrote:
> I'm sure this must have been discussed before, but it was before I got 
> involved with the TC.  Why are we not using XML DSig for signing XRD?  
> I just got off a Shibboleth call where we were discussing the scope of 
> work for adding OpenID and XRD support to Shibboleth, and several 
> people (Scott Cantor included, of course) asked why weren't using XML 
> DSig.  I didn't actually know the answer.  I've certainly wondered 
> that myself, but kinda took it at face value that there was a good 
> reason.  Is there?  Is it really just that XML Canonicalization is 
> "too hard"?  If that's it, then isn't the answer to just write better 
> libraries ONCE and be done with it?  Was there something else brought 
> up in past discussions?
>
> If there is a good reason, that's fine... I'd just be a little 
> embarrassed (especially as a developer) if all we have is "it's too 
> hard".
>
> -will
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php