[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML simplesign useful in practice?
Well... I know that Orange in France has implemented simplesign and uses it according to the spec. I don't know any data regarding usage. At AOL we use the simplesign algorithm but since we use it for server-to-server calls it's not fully spec compliant (note that simplesign is tied to the use of a user-agent). Given that simplesign is based on just signing the XML "string" we have seen partners use scripts (e.g. perl and ssh) to do the signing and submit messages. Having a simple script that can do the signing has proved useful in helping partners get the signature part correct. Good libraries in all the major development languages (including web development like php, ruby, python, erlang, etc) and some simple command line tools/scripts could probably mitigate the need for SimpleSign. The issue with libraries is that they have to be integrated into code, and the library design can have an impact on how easy/hard that integration is. So, being able to easily script the signing is pretty critical to adoption. Thinking out loud... if there was a command line utility that took an XML document and it's XSD(s) and was able to construct the output XML document with embedded signature (and the equivalent decode mech) this might suffice for those environment where scripting is critical. Just not sure how easy it would be to generate such a tool. I know that when trying to get tooling libraries like xmlbeans or axis to build code, just getting all the right XSDs in some place that the tooling can find is tedious/complicated. The purist in me would prefer to standardize on XMLdsig :) However, seeing how many problems partners have had getting the signature right (albeit once its figured out it doesn't tend to be a recurring problem), the pragmatic in me is a little concerned that without the right tools we won't able to on-board as many partners. Thanks, George RL 'Bob' Morgan wrote: > > Over in the XRI TC there is a design item to be finished regarding > signing of XRD documents, and the perhaps predictable discussion of > whether specifying XML DSIG would be a barrier to adoption, hence > whether to specify something similar to the SAML simplesign method. > In fact the existence of SAML simplesign is held up as evidence that > DSIG is a problem, and of course that is indeed the justification for > simplesign. I think the most compelling part of the argument was that > implementations of DSIG for some popular scripting languages (eg PHP) > were lacking, creating the adoption problem. > > So the questions being asked of the SAML community are (a) whether > simplesign has been implemented and deployed and has enabled more > adoption as intended; and (b) whether, at this late date, acceptable > XML DSIG implementations now exist for all those languages such that > signing via DSIG isn't a problem any more (which might explain why the > simplesign doc is still at CD stage perhaps). > > Does anyone here have any observations or opinions on this? > > - RL "Bob" > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]