OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xri] Re: Proposal for XRD 1.0 signing to use constrained XML dSig


Dirk Balfanz wrote on 2009-05-31:
> (1) What's wrong with
> http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile?

It's yet another proprietary signing mechanism for signing content that
already has a stable standard for implementing signatures. For those who
have already implemented support for that standard because it was necessary
in the long term, it's more work, not less, to use a competing method.

Personally, I merely asked that some of be allowed to use the existing
standard as an option, rather than be forced to support yet another custom
approach. I didn't necessarily ask that it be the only approach.
 
> (2) I don't know anything about XML dSig, Q-names, SAML profiles,
> etc., so I was wondering what the actual proposed (adopted?)
> canonicalization/signature method is.

The same constrained subset of XML Signature that SAML uses is applicable to
this use case. It's in section 5 of SAML core, and has been used in a few
other specifications in various places. It's a whole document or ID
reference with only the Enveloped Signature and Exclusive C14N transforms
permitted.

> (3) My (limited) experience with OAuth tells me that canonicalization
> is hard. Do we have some library somewhere that implements this, or do
> we have multiple libraries, written in different languages by
> different people, that actually interoperate?

There are many interoperable c14n and signing libraries today, they just
happen to be in only the more mature languages. Implementing the subset of
c14n required to get this to work is an order of magnitude (or two) simpler
than those implementations had to be, as I believe Will is already finding.

There are also any number of c14n test vectors from the W3C to verify
compliance with.

> - incorporating a SAML library for the purpose of getting the SAML XML
> dSig mechanism into our step2 library (which does some proof-of-concept
> XRDS signature verification) would probably have been more work than the
> two lines of code it takes to generate and/or verify the signatures
> without any canonicalization (see
> http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile).

Nobody has proposed any dependency on SAML or SAML code.
 
-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]