[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: Mime type for XRD/Site-meta signature file
I love the simple sign approach, in particular that it chooses to sign a literal string of bytes that is easily reconstructed. The OAuth canonicalization is relatively simple if you're dealing with name/value pairs, but to be honest the spec has been final for over a year and we are still finding occasional compatibility issues due to canonicalization. On Wed, Dec 3, 2008 at 2:29 PM, Peter Davis <peter.davis@neustar.biz> wrote: > FWIW, it might be worthwhile looking at the proposed simple-sign binding > draft [1] in the SSTC (SAML). Much thought has gone into this over the past > year or so, and might save us sime time, if we really want to consider > ditching xml dsig. > > =peterd > > [1] > http://www.oasis-open.org/apps/org/workgroup/security/download.php/30234/sstc-saml-binding-simplesign-cd-04.pdf > > On Dec 3, 2008, at 5:20 PM, Eran Hammer-Lahav wrote: > >> (moving this thread to XRI TC) >> >> Some questions: >> >> Is S/MIME adopted? It seems to work very similarly to what we are looking >> for, though using multiparts and not links. >> Do we have an idea how the current status of adoption for PKCS #7 in >> libraries and platforms? >> How much signature metadata do we need to build into XRD? >> >> EHL >> >> >> On 12/3/08 10:14 AM, "Brian Eaton" <beaton@google.com> wrote: >> >> OK, here's why you should care: >> >> If we use PKCS #7, we get a signature scheme that works on arbitrary >> documents (xml, binary, json, whatever) that includes all of the kinds >> of metadata one looks for in such signatures, such as who signed the >> document, when they signed, etc... >> >> The downside to PKCS #7 is that it is somewhat hard to implement from >> scratch due to asn.1, and we all know that developers prefer to >> implement something simple themselves than pulling in a complicated >> library. >> >> If we use PKCS #1 we need to build signature metadata into XRD. >> That's not particularly hard, we can reference the relevant XML DSIG >> formats without pulling in the insanity of xml canonicalization. >> >> So at this point I'm voting for pkcs #1, but there are valid arguments >> for pkcs #7 as well. >> >> Cheers, >> Brian >> >> On Wed, Dec 3, 2008 at 9:51 AM, Eran Hammer-Lahav <eran@hueniverse.com> >> wrote: >> > This means nothing to me... :-) >> > >> > I'm going to leave the crypto stuff to those who truly understand it. >> > >> > EHL >> > >> >> -----Original Message----- >> >> From: Brian Eaton [mailto:beaton@google.com] >> >> Sent: Wednesday, December 03, 2008 9:44 AM >> >> To: Eran Hammer-Lahav >> >> Cc: Ben Laurie >> >> Subject: Re: Mime type for XRD/Site-meta signature file >> >> >> >> pkcs #7 wraps the raw pkcs #1 signature with some additional asn.1 >> >> The format is in http://tools.ietf.org/html/rfc2315 if you're >> >> interested. >> >> >> >> On Wed, Dec 3, 2008 at 9:40 AM, Eran Hammer-Lahav <eran@hueniverse.com> >> >> wrote: >> >> > I have no clue what the difference between 1 and 7 is... I simply >> >> looked for an existing signature mime-type and found this... >> >> > >> >> > Ben and Jonathan Sergent submitted the OAuth proposal for PKCS #1.5 >> >> and we never discussed it. >> >> > >> >> > EHL >> >> > >> >> >> -----Original Message----- >> >> >> From: Brian Eaton [mailto:beaton@google.com] >> >> >> Sent: Wednesday, December 03, 2008 9:37 AM >> >> >> To: Ben Laurie >> >> >> Cc: Eran Hammer-Lahav >> >> >> Subject: Re: Mime type for XRD/Site-meta signature file >> >> >> >> >> >> On Wed, Dec 3, 2008 at 2:08 AM, Ben Laurie <ben@links.org> wrote: >> >> >> > Eran Hammer-Lahav wrote: >> >> >> >> I am not sure which signature method you had in mind, but if it >> >> is >> >> >> PKCS7, >> >> >> >> would application/pkcs7-signature work as a mime-type? >> >> >> > >> >> >> > I can't see any harm in that. >> >> >> >> >> >> Why did the OAuth community decide to go with PKCS #1.5 instead of >> >> PKCS >> >> >> #7? >> >> >> >> >> >> There seems to be a certain amount of overlap between the XML DSIG >> >> >> schema and the PKCS #7 ASN.1 schema. Both include mechanisms for >> >> >> transferring certificates, for example. My concern about using PKCS >> >> >> #7 signatures instead of using PKCS #1 is that some platforms may >> >> not >> >> >> have standard libraries for parsing PKCS #7 objects. For example, >> >> >> Sun's JCE doesn't seem to expose PKCS #7 signature verification >> >> tools. >> >> >> They do expose tools to verify PKCS #1 signatures. >> >> > >> > >> > > Peter Davis: NeuStar, Inc. > Director & Distinguished Member of the Technical Staff > 45980 Center Oak Plaza Sterling, VA 20166 > [T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] > http://www.neustar.biz/ [X] xri://@neustar*pdavis [X] xri://=peterd > The information contained in this e-mail message is intended only for the > use of the recipient(s) named above and may contain confidential and/or > privileged information. If you are not the intended recipient you have > received this e-mail message in error and any review, dissemination, > distribution, or copying of this message is strictly prohibited. If you have > received this communication in error, please notify us immediately and > delete the original message. > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]