[xri] SimpleSign Implementation

[Joseph Anthony Pasquale Holsten <joseph.holsten@cordance.net>]

I'm trying to wrap my head around the security implications of  
SimpleSign, and I'm wondering where exactly it is better than TLS or  
XMLDSIG.

While SimpleSign is designed to be easy to implement, it still has  
less implementations than TLS, or even XMLDSIG. There is also less  
existing security analysis, test cases, &c.

The certificate from SimpleSign is X509, so depends upon the support  
of a CA. A certificate will only be valid if the subject applies to  
the CannonicalID. Getting such a certificate will cost the same as a  
TLS certificate, if they are not the identical.

Why should I use a SimpleSign implementation instead of TLS or XMLDSIG?

Some possible answers:
* You shouldn't. (NO!!!)
* Using TLS would require either all resources must be encrypted and  
sign (significant overhead), or that the XRD must be available under  
TLS while other resources may not (significant complexity).
* Using TLS means that an XRD cannot be provided under restrictive  
hosting environments, as it cannot be implemented by uploading a PHP  
script over FTP.
* Using XMLDSIG requires either a custom implementation (error  
prone), or support for a known-good implementation (restricted  
environments).
* SimpleSign is simple enough that an amateur can implement it  
without worry of error, is easy to host, and allows flexible security  
for other resources.

http://josephholsten.com

PS. I'm still trying to get up to speed with everything in XRI, so  
I'm sorry if I ask silly questions