I frankly do not have enough relevant
experience to help with this decision. The question seems clear enough,
however, so we should be able to answer it in some more-or-less objective
fashion.
Given that our own TC membership represents
a relatively small sampling, are there any other “neutral” external
sources that we can reference for their input?
FWIW, I just read the current Wikipedia page
on XML Signatures, http://en.wikipedia.org/wiki/XML_Signature,
and it does still highlight the complexity and performance issues associated with
the XML canonicalization requirements.
Other views? Should we raise this on the OpenID
lists? The OAuth lists?
=Drummond
From: Eran
Hammer-Lahav [mailto:eran@hueniverse.com]
Sent: Tuesday, May 26, 2009 2:33
PM
To: Will Norris;
xri@lists.oasis-open.org
Subject: Re: [xri] XML DSig
The general sentiment here was
that XML Dsig is too complicated/overkill. This is not my area but I am
reluctant to use XML Dsig without consensus here that it is not too
complicated.
EHL
On 5/26/09 2:23 PM, "Will Norris" <will@willnorris.com>
wrote:
I think this argument may have
been valid 2 or 3 years ago with SAML.
I'm not sure that it holds any more.
- http://www.w3.org/Signature/#Code
- http://identitymeme.org/categories/markup/xml/xmldsig/
- http://xmlsig.sourceforge.net/
Granted, I'm not sure what the status of these libraries are. But
given how long SAML has been around and how many different people have
worked on this, I have no doubt there is at least one "good enough"
implementation for most any given language.
-will
On May 26, 2009, at 2:00 PM, George Fletcher wrote:
> Basically, the desire was to use a signing mechanism like that
> enabled with the SAML Simple Sign binding. This requires no
> canonicalization and is easy to implement in scripts. Note that perl
> and ssh are great tools for testing this kind of signing. Good
> library support may be possible for php and java... but it really
> needs to carry over to all the other languages like ruby, python,
> perl, et. al. This is where the canonicalization does become
"hard".
> That said, I'm not totally opposed to using XMLDSig if that's where
> the TC goes, but I do think it will slow down adoption in the non-
> mainstream languages.
>
> Thanks,
> George
>
> Will Norris wrote:
>> I'm sure this must have been discussed before, but it was before I
>> got involved with the TC. Why are we not using XML DSig for
>> signing XRD? I just got off a Shibboleth call where we were
>> discussing the scope of work for adding OpenID and XRD support to
>> Shibboleth, and several people (Scott Cantor included, of course)
>> asked why weren't using XML DSig. I didn't actually know the
>> answer. I've certainly wondered that myself, but kinda took it
at
>> face value that there was a good reason. Is there? Is it
really
>> just that XML Canonicalization is "too hard"? If
that's it, then
>> isn't the answer to just write better libraries ONCE and be done
>> with it? Was there something else brought up in past
discussions?
>>
>> If there is a good reason, that's fine... I'd just be a little
>> embarrassed (especially as a developer) if all we have is "it's
too
>> hard".
>>
>> -will
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. Follow this link to all your TCs in OASIS
at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/
>> my_workgroups.php
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php