OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SAML simplesign useful in practice?

One of the points to keep in mind is that aside from the work being done now
to produce a streamlined XML Sig 2.0 that doesn't rely on XPath for c14n, if
you know that the XML being referenced is a whole document or doc substree,
you can implement "real" c14n today very simply with a namespace stack and a
bit of code to reorder attributes. Performance is more or less on par with
XML serialization.

Since things like SAML (and I suspect XRD) use a very constrained set of
transforms and referencing, it's quite possible to implement the signing
required for just those use cases without implementing full c14n or
transform support. If I knew anything about Ruby, Python, et al., I'd be
happy to write it, but I don't speak those languages.

For the record, one XML Sig limitation that leads to SimpleSign is the
inablity to reference an HTTP form field or header within a Signature
Reference. You couldn't use XML Sig to do what OAuth does, for example, not
yet anyway.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]