[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Re: Proposal for XRD 1.0 signing to use constrained XML dSig
Dirk Balfanz wrote on 2009-05-31: > (1) What's wrong with > http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile? It's yet another proprietary signing mechanism for signing content that already has a stable standard for implementing signatures. For those who have already implemented support for that standard because it was necessary in the long term, it's more work, not less, to use a competing method. Personally, I merely asked that some of be allowed to use the existing standard as an option, rather than be forced to support yet another custom approach. I didn't necessarily ask that it be the only approach. > (2) I don't know anything about XML dSig, Q-names, SAML profiles, > etc., so I was wondering what the actual proposed (adopted?) > canonicalization/signature method is. The same constrained subset of XML Signature that SAML uses is applicable to this use case. It's in section 5 of SAML core, and has been used in a few other specifications in various places. It's a whole document or ID reference with only the Enveloped Signature and Exclusive C14N transforms permitted. > (3) My (limited) experience with OAuth tells me that canonicalization > is hard. Do we have some library somewhere that implements this, or do > we have multiple libraries, written in different languages by > different people, that actually interoperate? There are many interoperable c14n and signing libraries today, they just happen to be in only the more mature languages. Implementing the subset of c14n required to get this to work is an order of magnitude (or two) simpler than those implementations had to be, as I believe Will is already finding. There are also any number of c14n test vectors from the W3C to verify compliance with. > - incorporating a SAML library for the purpose of getting the SAML XML > dSig mechanism into our step2 library (which does some proof-of-concept > XRDS signature verification) would probably have been more work than the > two lines of code it takes to generate and/or verify the signatures > without any canonicalization (see > http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile). Nobody has proposed any dependency on SAML or SAML code. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]