[OpenID] experimental namespace for openid.net
Peter Williams
pwilliams at rapattoni.com
Sun Jul 12 04:58:42 UTC 2009
Santosh
xmldsig is used in SAML2 websso, by Google even. I dont know how many app domains they have using it (much like they will have similar domains pointing to their IDP service bus), but it works fine with lots of vendors across lots of platforms.
XMLDSIG works as well for XRDS and XRD (XML) as any other stream of XML. Being an xml process, it signs XML; not any particular XML type. Given the nature of XML, you are asking for serious interoperability problems if you treat XML as a byte string, rather than a type system.
I'll grant you that there are lots of ways to make xmldsig not interwork - by relying on all the many features that folks in the XML space decided to "add" - over what went before (nice simple ASN.1 type signing, from 1984 as used a trillion times a year in https and authenticode/jar cert validation). But there is a community choice: do what now works (in the xmldsig profiles folks actually use for in-document signing references), or regress back to what we had before xml-dsig came on the scene - sign a byte stream!
The problem as I see it is that the very XMLness that XRI and XMLDSIG were supposed to provide as "engineered" solutions are now being discarded - when adopting XRD as a file format (and XRD signing as signing a byte stream). This is all a bit sad - though predictable - as, in the 80%/20% design culture of the web, the lowest common denominator does always tend to win the adoption wars (e.g. openid, vs SAML2!)
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Santosh Rajan [santrajan at gmail.com]
Sent: Saturday, July 11, 2009 7:05 PM
To: general at openid.net
Subject: Re: [OpenID] experimental namespace for openid.net
xmldsig works fine in proprietary systems where both signing and verification
is done by software from the same vendor, or at least where the vendor has
solved the interop problems on a case to case basis. Otherwise xmldsig as
far as I can read all over the web is plagued with interop problems. For a
case like OpenID with a multitude of vendors and platforms I dont think it
would be possible to solve all the interop probs on a case to case basis. I
am looking for someone who has successfully implemented xmldsig with XRDS
and I have not been able to find even one! Because if there was one, they
would be the best people to tell you. Unfortunately there isnt (or I havent
found them, let me know if you know of anyone).
Peter Williams wrote:
>
> (a) since all major programming platforms already have an xmldsig library
> that is well settled in terms of functionality, interoperability and
> access to crypto hardware, I'm really not sure what we gain in openid-land
> by using the Google/TC canonicalization method.
>
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Re%3A-experimental-namespace-for-openid.net-tp24432471p24445325.html
Sent from the OpenID - General mailing list archive at Nabble.com.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list