OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Adoption of constrained XML dSig (was RE: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-06-11)


I would go even further and suggest that the main reason that the signing mechanism in XRI Resolution 2.0 (which did use the SAML profile of XML dSig) was not adopted was that the primary use cases for trusted XRDS documents (XRI resolution and OpenID discovery) was satisfied by SSL.

 

So the need for signed XRDS documents just wasn’t there yet.

 

With XRD 1.0, we’re talking a much larger marketplace, where the use for XRI resolution is just one segment of the overall usage, and where the need for libraries that do trusted discovery will be much more widespread, particularly for OpenID, OAuth, SAML, etc.

 

In a nutshell, that’s why the TC now has many more members involved who care about a simple, standard way to sign XRD documents.

 

That said, it doesn’t change the need for us to very carefully consider our choice of the XRD signature mechanism to ensure that we strike the right balance between maximizing standardization and minimizing barriers to adoption. Which is exactly what we are doing.

 

=Drummond

 


From: markus.sabadello@gmail.com [mailto:markus.sabadello@gmail.com] On Behalf Of Markus Sabadello
Sent: Friday, June 12, 2009 11:35 AM
To: John Bradley
Cc: Nat Sakimura; Drummond Reed; XRI TC
Subject: Re: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-06-11

 

There has been some support for SAML assertions in OpenXRI for a long time, but I don't think anyone ever used that.

Markus

On Fri, Jun 12, 2009 at 2:39 PM, John Bradley <jbradley@mac.com> wrote:

It should also be pointed out that a lack of support in openXRI and in the root authority servers was probably what stopped  XML Dsig in XRI 2.0.

From conversations a year or so ago I recall that Dirk and Brenno had some other issues as well.   Though none of them at the time regarding cannonicalization.

John B.


On 12-Jun-09, at 4:40 AM, Nat Sakimura wrote:

It is kind of interesting that OpenID list is generally negative
against XML Dsig while OAuth is positive (though, as Eran states,
there is no use case for OAuth but for OpenID.)

So, I posted next question to the OpenID List whether they
would be amiable to XML DSig if native language form of
libraries are provided to them. (I hope they will be.)

We all know that XML DSig in XRI Resolution 2.0 did not get
any support. One of the factor must have been the lack of
easy to use library. This is one of the thing that we must
address.

Scott's description of the constrained C14N  would be a
good tool for changing people's mind set.

IMHO, writing a good spec is one thing, but getting the
traction on it is also as important. Trying what we have
failed before again without a countermeasure is something
what I would like to avoid.

=nat

--------------------------------------------------
From: "Drummond Reed" <drummond.reed@cordance.net>
Sent: Friday, June 12, 2009 9:58 AM
To: "'XRI TC'" <xri@lists.oasis-open.org>
Subject: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-06-11

Following are the minutes of the unofficial telecon of the XRI TC at:

Date:  Thursday, 11 June 2009 USA
Time:  2:00PM - 3:00PM Pacific Time (21:00-22:00 UTC)

(Note: Drummond could not attend so these minutes were taken by John.)

ATTENDING

Scott Cantor
Nat Sakimura
Will Norris
John Bradley

REGRETS

Drummond Reed
Eran Hammer-Lahav


1) DO WE STILL NEED A SIMPLE SIGNING METHOD?

Among the attendees on this call, the consensus was, "probably not".

Nat is still concerned about adoption, and is looking for more feedback from
the OpenID mailing list.

John cynically thinks signing will not be popular with some people no matter
what the canonicalization method is.

Scott is going to create a description of the constrained form.

Scott added the following comment in email:

***** BEGIN QUOTE *****

Just for the permanent record, on the sparsely attended call today I raised
one of my other concerns about the proliferation of proprietary signing
mechanisms in specs, which is algorithm agility.

I had been planning to mention to Will that copying the SAML spec's outdated
recommendation to use RSAwithSHA1 as the signing algorithm was probably not
the ideal choice, since SHA256 is gradually replacing SHA1 as the current
"best option" until the new hash standard is done.

The more one duplicates signing functionality across multiple spots in the
software stack, the harder it is to maintain control over the algorithms
being used and maintain some degree of agility as these old algorithms fall
into disrepair.

***** END QUOTE *****

John thinks that once implementers try c14n once they will like it "like
green eggs and ham", as Dr. Suess said. He said that making sure the 5 or 6
main OpenID libraries support it will cover 90% of the initial users.


2) OTHER XRD 1.0 ISSUES

Will raised the question of TargetSubject and how that would work when
delegating entire domains. It may be that using TargetAuthority will be
sufficient.  Will is exploring use cases.



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]