OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] XML DSig

I prefer XML DSig,  but there has always been an objection from the openID side due to perceived complexity.  

Though any sort of signature is too much for some folks.

I think it mostly goes to adoption issues. 
  
Some people will ask if XML DSig is so good and simple why was XML Simple sign required?

For a high throughput RP there may be real issues,  I cant say for sure.

John B.

On 26-May-09, at 7:38 PM, Drummond Reed wrote:

I frankly do not have enough relevant experience to help with this decision. The question seems clear enough, however, so we should be able to answer it in some more-or-less objective fashion.
 
Given that our own TC membership represents a relatively small sampling, are there any other “neutral” external sources that we can reference for their input?
 
FWIW, I just read the current Wikipedia page on XML Signatures, http://en.wikipedia.org/wiki/XML_Signature, and it does still highlight the complexity and performance issues associated with the XML canonicalization requirements.
 
Other views? Should we raise this on the OpenID lists? The OAuth lists?
 
=Drummond
 
From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
Sent: Tuesday, May 26, 2009 2:33 PM
To: Will Norris; xri@lists.oasis-open.org
Subject: Re: [xri] XML DSig
 

The general sentiment here was that XML Dsig is too complicated/overkill. This is not my area but I am reluctant to use XML Dsig without consensus here that it is not too complicated.

EHL


On 5/26/09 2:23 PM, "Will Norris" <will@willnorris.com> wrote:

I think this argument may have been valid 2 or 3 years ago with SAML.  
I'm not sure that it holds any more.

  - http://www.w3.org/Signature/#Code
  - http://identitymeme.org/categories/markup/xml/xmldsig/
  - http://xmlsig.sourceforge.net/

Granted, I'm not sure what the status of these libraries are. But 
given how long SAML has been around and how many different people have 
worked on this, I have no doubt there is at least one "good enough" 
implementation for most any given language.

-will


On May 26, 2009, at 2:00 PM, George Fletcher wrote:

> Basically, the desire was to use a signing mechanism like that 
> enabled with the SAML Simple Sign binding. This requires no 
> canonicalization and is easy to implement in scripts. Note that perl 
> and ssh are great tools for testing this kind of signing. Good 
> library support may be possible for php and java... but it really 
> needs to carry over to all the other languages like ruby, python, 
> perl, et. al. This is where the canonicalization does become "hard". 
> That said, I'm not totally opposed to using XMLDSig if that's where 
> the TC goes, but I do think it will slow down adoption in the non-
> mainstream languages.
>
> Thanks,
> George
>
> Will Norris wrote:
>> I'm sure this must have been discussed before, but it was before I 
>> got involved with the TC.  Why are we not using XML DSig for 
>> signing XRD?  I just got off a Shibboleth call where we were 
>> discussing the scope of work for adding OpenID and XRD support to 
>> Shibboleth, and several people (Scott Cantor included, of course) 
>> asked why weren't using XML DSig.  I didn't actually know the 
>> answer.  I've certainly wondered that myself, but kinda took it at 
>> face value that there was a good reason.  Is there?  Is it really 
>> just that XML Canonicalization is "too hard"?  If that's it, then 
>> isn't the answer to just write better libraries ONCE and be done 
>> with it?  Was there something else brought up in past discussions?
>>
>> If there is a good reason, that's fine... I'd just be a little 
>> embarrassed (especially as a developer) if all we have is "it's too 
>> hard".
>>
>> -will
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/
>> my_workgroups.php
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


smime.p7s

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]