Re: [xri] Second thoughts

[Breno de Medeiros <breno@google.com>]

On Tue, Feb 2, 2010 at 15:58, John Bradley <jbradley@mac.com> wrote:
> We discussed that option but requiring the XRD to always be base 64 encoded was not popular.

Yes, I heard these before, and I am worried if we gave proper relative
weight vs. the disadvantages of poor XML DSig support in scripting
languages.

>
> The advantage of XML Dsig is that clients not interested in the signature only have one format to worry about.

Similar if you use Base64 encoding in all cases.

>
> If someone wants to do an additional trust profile with something like SAML simple Sign that is fine but was rejected for a number of reasons as the default.
>
> I think we should leave Dsig as is in the short term.

I'm not saying we shouldn't, I am just wary that we will have to
re-visit this decision via an extension and create additional
difficulties with adoption of the trust profile later.

>
> With tokens where there is a closer relationship to the binding the signature and encryption issues are somewhat different.
>
> John B.
> On 2010-02-02, at 8:41 PM, Breno de Medeiros wrote:
>
>> On Tue, Feb 2, 2010 at 15:34, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>>> First, WRAP is running away from crypto in general. It is based on the assumption that client developers are limited.
>>>
>>> We would all love to find a signature process that does not require canonicalization but that means moving the signature to the transport layer or in a separate document. We are going to leave the XML DSig in because it is very useful to have. But if you have new proposals, it would be great to consider them for the immediate set of protocols looking to use XRD.
>>
>> I think the approach with these standards is to have the payload base
>> 64 encoded and attached with the signature.
>>
>> The clients download the payload, (optionally) verify the signature,
>> and then extract the content (enveloping signature).
>>
>>
>>>
>>> However, I would like us not to lose focus considering we do not have alternatives at this point.
>>>
>>> EHL
>>>
>>>> -----Original Message-----
>>>> From: Breno de Medeiros [mailto:breno@google.com]
>>>> Sent: Tuesday, February 02, 2010 2:59 PM
>>>> To: xri@lists.oasis-open.org
>>>> Subject: [xri] Second thoughts
>>>>
>>>> Looking at developments since our decision to use XML DSig to sign XRD
>>>> documents:
>>>>
>>>> - OAuth WRAP was launched with canonicalization-free signatures for tokens
>>>> - Proposal for Salmon signatures based on canonicalization-free signatures on
>>>> streams
>>>>
>>>> I am increasingly concerned that the directions is going away, not towards,
>>>> meeting XML DSig.
>>>>
>>>> --
>>>> --Breno
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>>> https://www.oasis-
>>>> open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)