[OpenID] Signing method for XRD

Santosh Rajan santrajan at gmail.com
Wed Jun 10 09:47:11 UTC 2009 

OOps please ignore my earlier reply.

If you want to make it simple and easy for programmers then i suggest
1) XMLDSig detached signature with no-canonicalization
2) The signature and certificate links will be in separate <Link> elements. 


Nat Sakimura wrote:
> 
> Hi all:
> 
> At XRI TC of OASIS Open, we are talking about the signing method for XRD.
> The current trend in the TC is that to use a constrained form of XML DSig,
> which is found in the SAML Core spec. We are almost deciding on it,
> but I would like to hear from the community that if it would be OK.
> 
> The reason I ask this was that when we started to discuss the
> signing method for XRD back in November last year, we were
> hearing from the community that XML DSig is too complex and
> hard to use by some developers. That's why we came up with
> "Simple Sign" which basically signes the blob without any
> cannonicalization.
> 
> e.g.,
> 
> <SXRD sig="signature"
> sigalg="http://www.w3.org/2000/09/xmldsig#rsa-sha1" certuri="pem file
> location" data="BASE64 of the payload" />
> 
> Where:
> 
> 
>    - XRD/@data : Base64 encoded XRD to be signed.
>    - XRD/@sig : Signature taken over the original data (before Base64
>    encoding).
>    - XRD/@certuri: (Optional) Certificate location.Either XRD/@certuri or
>    XRD/@certs MUST be present.
>    - XRD/@certs : (Optional) The content of XRD/@certuri.If both
>    XRD/@certuri and XRD/@certs are present, XRD/@certs takes precidence.
>    - XRD/@sigalg : (Optional) Signature Algorithm. Defaults to rsa-sha1.
> 
> 
> When we started writing spec on such thing, we found that we are
> re-writing
> a lot of things that are already in XML DSig.
> As the result, XML DSig with new canonicalization
> method=no-canonicalization
> was discussed and in the end,
> it seems the discussion precipitated to "After all, constrained XML DSig
> would be good enough."
> Theoretically, it looks good.
> 
> The remaining question is then the reality check, such as:
> 
>    - Is it widely implementable, in each scripting language and hosting
>    environment including Google AppEngine, Force.com, etc.?
>    - Would the community feel that this is simple enough?
> 
> I would appreciate your insight/opinion/input into this matter.
> 
> Best,
> 
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Signing-method-for-XRD-tp23956678p23958923.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list