[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Re: Mime type for XRD/Site-meta signature file
Especially for SiteMeta, SAML Simple Sign approach is good. Problem of doing file based signing with XRD is the time you want to create XRDS from multiple XRD. =nat Breno de Medeiros wrote: > +1 to the simple scheme. > > On Wed, Dec 3, 2008 at 3:50 PM, Brian Eaton <beaton@google.com> wrote: > >> I love the simple sign approach, in particular that it chooses to sign >> a literal string of bytes that is easily reconstructed. >> >> The OAuth canonicalization is relatively simple if you're dealing with >> name/value pairs, but to be honest the spec has been final for over a >> year and we are still finding occasional compatibility issues due to >> canonicalization. >> >> On Wed, Dec 3, 2008 at 2:29 PM, Peter Davis <peter.davis@neustar.biz> wrote: >> >>> FWIW, it might be worthwhile looking at the proposed simple-sign binding >>> draft [1] in the SSTC (SAML). Much thought has gone into this over the past >>> year or so, and might save us sime time, if we really want to consider >>> ditching xml dsig. >>> >>> =peterd >>> >>> [1] >>> http://www.oasis-open.org/apps/org/workgroup/security/download.php/30234/sstc-saml-binding-simplesign-cd-04.pdf >>> >>> On Dec 3, 2008, at 5:20 PM, Eran Hammer-Lahav wrote: >>> >>> >>>> (moving this thread to XRI TC) >>>> >>>> Some questions: >>>> >>>> Is S/MIME adopted? It seems to work very similarly to what we are looking >>>> for, though using multiparts and not links. >>>> Do we have an idea how the current status of adoption for PKCS #7 in >>>> libraries and platforms? >>>> How much signature metadata do we need to build into XRD? >>>> >>>> EHL >>>> >>>> >>>> On 12/3/08 10:14 AM, "Brian Eaton" <beaton@google.com> wrote: >>>> >>>> OK, here's why you should care: >>>> >>>> If we use PKCS #7, we get a signature scheme that works on arbitrary >>>> documents (xml, binary, json, whatever) that includes all of the kinds >>>> of metadata one looks for in such signatures, such as who signed the >>>> document, when they signed, etc... >>>> >>>> The downside to PKCS #7 is that it is somewhat hard to implement from >>>> scratch due to asn.1, and we all know that developers prefer to >>>> implement something simple themselves than pulling in a complicated >>>> library. >>>> >>>> If we use PKCS #1 we need to build signature metadata into XRD. >>>> That's not particularly hard, we can reference the relevant XML DSIG >>>> formats without pulling in the insanity of xml canonicalization. >>>> >>>> So at this point I'm voting for pkcs #1, but there are valid arguments >>>> for pkcs #7 as well. >>>> >>>> Cheers, >>>> Brian >>>> >>>> On Wed, Dec 3, 2008 at 9:51 AM, Eran Hammer-Lahav <eran@hueniverse.com> >>>> wrote: >>>> >>>>> This means nothing to me... :-) >>>>> >>>>> I'm going to leave the crypto stuff to those who truly understand it. >>>>> >>>>> EHL >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Brian Eaton [mailto:beaton@google.com] >>>>>> Sent: Wednesday, December 03, 2008 9:44 AM >>>>>> To: Eran Hammer-Lahav >>>>>> Cc: Ben Laurie >>>>>> Subject: Re: Mime type for XRD/Site-meta signature file >>>>>> >>>>>> pkcs #7 wraps the raw pkcs #1 signature with some additional asn.1 >>>>>> The format is in http://tools.ietf.org/html/rfc2315 if you're >>>>>> interested. >>>>>> >>>>>> On Wed, Dec 3, 2008 at 9:40 AM, Eran Hammer-Lahav <eran@hueniverse.com> >>>>>> wrote: >>>>>> >>>>>>> I have no clue what the difference between 1 and 7 is... I simply >>>>>>> >>>>>> looked for an existing signature mime-type and found this... >>>>>> >>>>>>> Ben and Jonathan Sergent submitted the OAuth proposal for PKCS #1.5 >>>>>>> >>>>>> and we never discussed it. >>>>>> >>>>>>> EHL >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Brian Eaton [mailto:beaton@google.com] >>>>>>>> Sent: Wednesday, December 03, 2008 9:37 AM >>>>>>>> To: Ben Laurie >>>>>>>> Cc: Eran Hammer-Lahav >>>>>>>> Subject: Re: Mime type for XRD/Site-meta signature file >>>>>>>> >>>>>>>> On Wed, Dec 3, 2008 at 2:08 AM, Ben Laurie <ben@links.org> wrote: >>>>>>>> >>>>>>>>> Eran Hammer-Lahav wrote: >>>>>>>>> >>>>>>>>>> I am not sure which signature method you had in mind, but if it >>>>>>>>>> >>>>>> is >>>>>> >>>>>>>> PKCS7, >>>>>>>> >>>>>>>>>> would application/pkcs7-signature work as a mime-type? >>>>>>>>>> >>>>>>>>> I can't see any harm in that. >>>>>>>>> >>>>>>>> Why did the OAuth community decide to go with PKCS #1.5 instead of >>>>>>>> >>>>>> PKCS >>>>>> >>>>>>>> #7? >>>>>>>> >>>>>>>> There seems to be a certain amount of overlap between the XML DSIG >>>>>>>> schema and the PKCS #7 ASN.1 schema. Both include mechanisms for >>>>>>>> transferring certificates, for example. My concern about using PKCS >>>>>>>> #7 signatures instead of using PKCS #1 is that some platforms may >>>>>>>> >>>>>> not >>>>>> >>>>>>>> have standard libraries for parsing PKCS #7 objects. For example, >>>>>>>> Sun's JCE doesn't seem to expose PKCS #7 signature verification >>>>>>>> >>>>>> tools. >>>>>> >>>>>>>> They do expose tools to verify PKCS #1 signatures. >>>>>>>> >>> Peter Davis: NeuStar, Inc. >>> Director & Distinguished Member of the Technical Staff >>> 45980 Center Oak Plaza Sterling, VA 20166 >>> [T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] >>> http://www.neustar.biz/ [X] xri://@neustar*pdavis [X] xri://=peterd >>> The information contained in this e-mail message is intended only for the >>> use of the recipient(s) named above and may contain confidential and/or >>> privileged information. If you are not the intended recipient you have >>> received this e-mail message in error and any review, dissemination, >>> distribution, or copying of this message is strictly prohibited. If you have >>> received this communication in error, please notify us immediately and >>> delete the original message. >>> >>> >>> >>> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> >> >> > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > -- Nat Sakimura (=nat) Nomura Research Institute, Ltd. XDI.ORG Vice Chair
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]