[OpenID] XRI TC - An Outsiders perspective

[John Panzer]

Peter Williams wrote:
> "I was pushing for a very simple Signing method but people did not want to invent yet another signing method for XML.
> Thus, I and my colleague Tatsuki made some research on the implementation issues there.
> What we have found out was that, if we stick to the Exclusive c14n, it works OK for Java, Python, PHP.
> It does not for Ruby, so we need to make a decent library for it. The same is probably true for Perl. For Python, there was a pure Python library, so it will probably work for GAE as well. "
>
> Not impressed.
>
> 2 years ago I literally sat at the bar with a good ruby programmer, who within 1h at made the ruby/java bridge work - giving ruby all of java's crypto support. 2h later we had websso between a SAML2 IDP and his intercepting ruby proxy (that acted as an RP - that fronted a RDF-like data source SP).
>
> you are not going to implement AES and RSA in native ruby script; you going to use a native code library. Since you can bridge to native code/hardware anyways, you can bridge there via java (just another hardware VM) - without upsetting even the most pure of the ruby crowd. Since java has strong types (and ruby doesn;t), this makes good sense anyways - when doing security enforcement.
>   
This is a bit of a straw man.  All serious proposals (as far as I can 
tell) rely on the same well vetted crypto building blocks such as AES 
and RSA and presumably will all use the same set of low level crypto 
libraries.  The open issues surround basically how to create the octets 
that RSA and AES and whatnot operate on, as they know nothing of XML, 
charsets, XRI, URIs, etc.


> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>