Re: [xri] XML DSig

[Will Norris <will@willnorris.com>]

Interestingly, a similar discussion came up during one of the OAuth  
sessions last week.  It was noted that the prevailing wisdom used to  
be that requiring SSL/TLS for all transactions was too expensive of an  
operation.  But as far as anyone could recall, any tests to support  
that idea were several years old.  Everyone is still operating under  
the status quo of several years ago, but no one really knows if it's  
still an issue.

I'd love to ask the same question of XML DSig.  Everyone says that  
it's a really expensive operation, but how many people have actually  
tested it?  And how many people have actually tested it on modern  
hardware?  Regarding language support, I don't know that a good  
analysis of the landscape has been done within in the last couple, at  
least that I could find published.  And as we all know, just because  
there are libraries out there doesn't necessarily mean that they are  
any good.  I'd love to volunteer to do a survey of XML DSig support in  
various languages, but I can't commit to the time just yet.

-will


On May 26, 2009, at 4:51 PM, John Bradley wrote:

> I prefer XML DSig,  but there has always been an objection from the  
> openID side due to perceived complexity.
>
> Though any sort of signature is too much for some folks.
>
> I think it mostly goes to adoption issues.
>
> Some people will ask if XML DSig is so good and simple why was XML  
> Simple sign required?
>
> For a high throughput RP there may be real issues,  I cant say for  
> sure.
>
> John B.
>
> On 26-May-09, at 7:38 PM, Drummond Reed wrote:
>
>> I frankly do not have enough relevant experience to help with this  
>> decision. The question seems clear enough, however, so we should be  
>> able to answer it in some more-or-less objective fashion.
>>
>> Given that our own TC membership represents a relatively small  
>> sampling, are there any other “neutral” external sources that we  
>> can reference for their input?
>>
>> FWIW, I just read the current Wikipedia page on XML Signatures, http://en.wikipedia.org/wiki/XML_Signature 
>> , and it does still highlight the complexity and performance issues  
>> associated with the XML canonicalization requirements.
>>
>> Other views? Should we raise this on the OpenID lists? The OAuth  
>> lists?
>>
>> =Drummond
>>
>> From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
>> Sent: Tuesday, May 26, 2009 2:33 PM
>> To: Will Norris; xri@lists.oasis-open.org
>> Subject: Re: [xri] XML DSig
>>
>> The general sentiment here was that XML Dsig is too complicated/ 
>> overkill. This is not my area but I am reluctant to use XML Dsig  
>> without consensus here that it is not too complicated.
>>
>> EHL
>>
>>
>> On 5/26/09 2:23 PM, "Will Norris" <will@willnorris.com> wrote:
>>
>> I think this argument may have been valid 2 or 3 years ago with SAML.
>> I'm not sure that it holds any more.
>>
>>  - http://www.w3.org/Signature/#Code
>>  - http://identitymeme.org/categories/markup/xml/xmldsig/
>>  - http://xmlsig.sourceforge.net/
>>
>> Granted, I'm not sure what the status of these libraries are. But
>> given how long SAML has been around and how many different people  
>> have
>> worked on this, I have no doubt there is at least one "good enough"
>> implementation for most any given language.
>>
>> -will
>>
>>
>> On May 26, 2009, at 2:00 PM, George Fletcher wrote:
>>
>> > Basically, the desire was to use a signing mechanism like that
>> > enabled with the SAML Simple Sign binding. This requires no
>> > canonicalization and is easy to implement in scripts. Note that  
>> perl
>> > and ssh are great tools for testing this kind of signing. Good
>> > library support may be possible for php and java... but it really
>> > needs to carry over to all the other languages like ruby, python,
>> > perl, et. al. This is where the canonicalization does become  
>> "hard".
>> > That said, I'm not totally opposed to using XMLDSig if that's where
>> > the TC goes, but I do think it will slow down adoption in the non-
>> > mainstream languages.
>> >
>> > Thanks,
>> > George
>> >
>> > Will Norris wrote:
>> >> I'm sure this must have been discussed before, but it was before I
>> >> got involved with the TC.  Why are we not using XML DSig for
>> >> signing XRD?  I just got off a Shibboleth call where we were
>> >> discussing the scope of work for adding OpenID and XRD support to
>> >> Shibboleth, and several people (Scott Cantor included, of course)
>> >> asked why weren't using XML DSig.  I didn't actually know the
>> >> answer.  I've certainly wondered that myself, but kinda took it at
>> >> face value that there was a good reason.  Is there?  Is it really
>> >> just that XML Canonicalization is "too hard"?  If that's it, then
>> >> isn't the answer to just write better libraries ONCE and be done
>> >> with it?  Was there something else brought up in past discussions?
>> >>
>> >> If there is a good reason, that's fine... I'd just be a little
>> >> embarrassed (especially as a developer) if all we have is "it's  
>> too
>> >> hard".
>> >>
>> >> -will