[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] SimpleSign Implementation
Hi. No, it si not silly. It is a good question to ask. My answer would be: a) TLS is only a security for the pipes. It does not protect the message per se. With a signed document, you can verify the authenticity and validity of a cache / detached document. b) TLS requires a dedicated IP address. Sites like Google providing services to the companies in the companies' domain do not have enough IP address to server TLS. This is another reason. c) There are not enough XMLDSIG implementations yet, and it is complex to implement yourself. This is becoming a hinderance to the adoption. a) and b) calls for a message based protection. This calls for something like XML Dsig. c) Calls for something simpler than XML Dsig. Therefore, we have SimpleSign. Regards, =nat Joseph Anthony Pasquale Holsten wrote: > I'm trying to wrap my head around the security implications of > SimpleSign, and I'm wondering where exactly it is better than TLS or > XMLDSIG. > > While SimpleSign is designed to be easy to implement, it still has > less implementations than TLS, or even XMLDSIG. There is also less > existing security analysis, test cases, &c. > > The certificate from SimpleSign is X509, so depends upon the support > of a CA. A certificate will only be valid if the subject applies to > the CannonicalID. Getting such a certificate will cost the same as a > TLS certificate, if they are not the identical. > > Why should I use a SimpleSign implementation instead of TLS or XMLDSIG? > > Some possible answers: > * You shouldn't. (NO!!!) > * Using TLS would require either all resources must be encrypted and > sign (significant overhead), or that the XRD must be available under > TLS while other resources may not (significant complexity). > > * Using TLS means that an XRD cannot be provided under restrictive > hosting environments, as it cannot be implemented by uploading a PHP > script over FTP. > * Using XMLDSIG requires either a custom implementation (error > prone), or support for a known-good implementation (restricted > environments). > * SimpleSign is simple enough that an amateur can implement it > without worry of error, is easy to host, and allows flexible security > for other resources. > > http://josephholsten.com > > PS. I'm still trying to get up to speed with everything in XRI, so > I'm sorry if I ask silly questions > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]