[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] xml dsig profile
Read the wiki page... +1 A couple of questions... 1. Could a proxy unintentionally change the "canoncialize-raw-octets" stream? It shouldn't though I know that some proxies do gzip encoding on the fly. Again, I don't think it will be a problem but wanted to make sure. 2. Should the verification process specifically define rules (or reference rules) that require the signing certificate to be "authoritative" for the XRD? The reason this came to mind is that a proxy could completely swap out the XRD and it's Signature header. The signature would verify, but would be signed by an entity not authoritative for the XRD. Thanks, George Brian Eaton wrote: > On Thu, Mar 12, 2009 at 4:52 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote: > >> Finally, I am coming back. >> > > Welcome. > > >> So, what is the status of XRD signature argument right now? >> > > http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile (I've got an XML > version too, if anyone prefers that.) > > That's basically the SimpleSign proposal, with three changes: > 1) Reuse bits of the XML DSIG schema, because I got tired of cutting > and pasting them. > 2) Certificate chain support. > 3) Signature in HTTP header. > > Dirk is working on integrating that spec into the step2 project > (OpenID + OAuth hybrid protocol), hosted at > http://code.google.com/p/step2/. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]