[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] xml dsig profile
Finally, I am coming back. So, what is the status of XRD signature argument right now? =nat -------------------------------------------------- From: "Peter Davis" <peter.davis@neustar.biz> Sent: Thursday, March 05, 2009 7:05 AM To: "Brian Eaton" <beaton@google.com> Cc: "George Fletcher" <george.fletcher@corp.aol.com>; "=JeffH" <Jeff.Hodges@kingsmountain.com>; <xri@lists.oasis-open.org> Subject: Re: [xri] xml dsig profile > On Mar 4, 2009, at 12:44 PM, Brian Eaton wrote: > >> On Wed, Mar 4, 2009 at 6:54 AM, George Fletcher >> <george.fletcher@corp.aol.com> wrote: >>> But the need to expose these different endpoints is already a use >>> case. I >>> want my PoCo and ActivityStream endpoints listed in my XRD. How do >>> they get >>> there? Do I (the user) have to add them myself? Does the service that >>> generates the XRD have to provide UI to the user and present them >>> all the >>> choices for what to add? That won't scale. >> >> That challenge needs to be addressed independent of any questions >> about XML DSIG vs Simple Sign vs Magic Security Dust. > > Well, sort of. It will be a challenge, i think to concoct a non- > XMLDsig mode of signing document portions (rather than the entire XML > stream). But I am not wed to signatures forms, as much as I am the > use case i described. > >> Once we figure out the flows involved in managing XRDs, I think we'll >> end up at a point where each XRD for each user has either no signature >> (for use cases where security is not critical) or one signature. > > Perhaps. I have a few projects afoot which would benefit greatly from > service-level signing by different parties. FWIW, any use case that > could be applied to a regulated space (eg: any US Corporation, Gov't > agency, etc...) will likely require some form of service > authentication (but perhaps not always at service discovery time) > >> >> >> The single signature case would work as follows: >> >> Actors: user, XRD host, third party >> >> 1) Third party gets permission to modify the XRD for the user. That >> could be via an OAuth approval, or something out of band. >> >> 2) Third party sends a message to XRD host asking to add a service >> entry. >> >> 3) XRD host adds the entry, resigns the XRD for the user. > > Right, this will work for many cases, but not for mine :-( > >> One key is all that's necessary, because the XRD for the user is *only >> making statements about the user*. If you want authoritative data >> about the service, you need to go ask the service for that. >> >> So, yes, I see a need for service discovery and publication, no, I >> don't see a need for a single XRD to have multiple entries signed by >> different entities. > > Peter Davis: NeuStar, Inc. > Director & Distinguished Member of the Technical Staff > 45980 Center Oak Plaza Sterling, VA 20166 > [T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] > http://www.neustar.biz/ > [X] xri://@neustar*pdavis [X] xri://=peterd > The information contained in this e-mail message is intended only for > the use of the recipient(s) named above and may contain confidential > and/or privileged information. If you are not the intended recipient > you have received this e-mail message in error and any review, > dissemination, distribution, or copying of this message is strictly > prohibited. If you have received this communication in error, please > notify us immediately and delete the original message. > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]