Re: [xri] SimpleSign for estabilishing the authenticity of XRD.

[Peter Davis <peter.davis@neustar.biz>]

There is, i think, a fourth option, which is to modify the simplesign  
proposal for blob-signing such that:

the signature declaration points to XRD#xmlid
extract the raw document bytes from all the descendants of XRD#xmlid

key and signature processing could, AFAICT, remain the same.  Since  
i've not messed with all xml libraries, i am not sure if all of them  
will properly retain byte precision after the extraction, however.

=peterd

On Dec 11, 2008, at 11:23 AM, Brian Eaton wrote:

> On Thu, Dec 11, 2008 at 8:07 AM, John Bradley <jbradley@mac.com>  
> wrote:
>> The XRI resolver produces a XRD Sequence as its output that XML  
>> document
>> contains the chain of XRD documents resolved.
>> The client can then verify the signatures of each of the XRDs  
>> contained in
>> the XRDS.
>> The last XRD in the XRDS is the one with the SEPs that you are  
>> interested
>> in.   The other XRDs in the XRDS provide the audit info for the  
>> client to
>> verify.
>> This is particularly important where you are doing XRI resolution  
>> through a
>> proxy resolver that you may or may not trust.
>> The concept of producing a XRD Sequence is not unlike what you are  
>> talking
>> about with delegation.
>> A XRDS containing all the XRD that the resolver processed could be  
>> returned
>> to the requester for it to audit and verify the signatures or at- 
>> least the
>> delegation chain.
>
> Ah, I think I've got it now...  when you pluck all of the XRDs out of
> their original byte streams and drop them into a new XML file, the
> signatures on the original would no longer be valid.  Have I
> understood the problem?
>
> One way to deal with this is not to use an XRD resolver service;
> instead the client does the XRD resolution itself.  That way the
> signatures can be verified locally, and you get to avoid a dependency
> on an external service.
>
> Another mechanism would be use multipart/file for the XRDS resolver to
> return the original byte streams for each of the XRDs.
>
> A third possibility would be to accept that you really want to be able
> to move XML elements from document to document, munge them as
> necessary, and still be able to verify the signatures.  XML DSIG is
> really the right tool for that.
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

Peter Davis: NeuStar, Inc.
Director & Distinguished Member of the Technical Staff
45980 Center Oak Plaza Sterling, VA 20166
[T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] http://www.neustar.biz/ 
  [X] xri://@neustar*pdavis [X] xri://=peterd
The information contained in this e-mail message is intended only for  
the use of the recipient(s) named above and may contain confidential  
and/or privileged information. If you are not the intended recipient  
you have received this e-mail message in error and any review,  
dissemination, distribution, or copying of this message is strictly  
prohibited. If you have received this communication in error, please  
notify us immediately and delete the original message.