[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML simplesign useful in practice?
One of the points to keep in mind is that aside from the work being done now to produce a streamlined XML Sig 2.0 that doesn't rely on XPath for c14n, if you know that the XML being referenced is a whole document or doc substree, you can implement "real" c14n today very simply with a namespace stack and a bit of code to reorder attributes. Performance is more or less on par with XML serialization. Since things like SAML (and I suspect XRD) use a very constrained set of transforms and referencing, it's quite possible to implement the signing required for just those use cases without implementing full c14n or transform support. If I knew anything about Ruby, Python, et al., I'd be happy to write it, but I don't speak those languages. For the record, one XML Sig limitation that leads to SimpleSign is the inablity to reference an HTTP form field or header within a Signature Reference. You couldn't use XML Sig to do what OAuth does, for example, not yet anyway. -- Scott