[OpenID] Signing method for XRD
Peter Williams
pwilliams at rapattoni.com
Wed Jun 10 16:10:44 UTC 2009
my first reaction was ugh - xml-dsig has its own inband mechanism for referencing keying material - and here is openid/xrd doing yet another standard for verifying signatures and validating the supporting keying material (probably poorly).
My second reaction on reflection was that xml-dsig is rarely used to its full potential. Its typically used as a PKCS7 signing and sealing emulation modes, with an XML centric view of the world - with no particular benefit. But, if xml dsig fully uses its external references, and the references are to a world of XRD files which are TRUSTED to act as a key distribution mechanism, things get rather more interesting. In that world, the XRD is becoming a certificate, as we know it - and one whose format and semantics would enable it to go beyond the staid ol X.509 cert chains and benefit the full expression power of xri queries and XRI resolution.
What the X.509 v3 format work took part (divorcing asymmetric key management from dap/ldap resolution), XRI/XRD may be putting back together: query-based named-key resolution supporting trust fabric meshes.
-------
eral-bounces at openid.net [general-bounces at openid.net] On Behalf Of Santosh Rajan [santrajan at gmail.com]
Sent: Wednesday, June 10, 2009 2:07 AM
To: general at openid.net
Subject: Re: [OpenID] Signing method for XRD
Looks Good to me. Just two questions.
1) So this is XMLDSig
http://www.w3.org/TR/xmldsig-core/#def-SignatureDetached detached signature
with no-canonicalization?
2) The signature and certificate links are going to be in the attributes of
<XRD> Element and will not be in separate <Link> elements?
Nat Sakimura wrote:
>
> Hi all:
>
> At XRI TC of OASIS Open, we are talking about the signing method for XRD.
> The current trend in the TC is that to use a constrained form of XML DSig,
> which is found in the SAML Core spec. We are almost deciding on it,
> but I would like to hear from the community that if it would be OK.
>
> The reason I ask this was that when we started to discuss the
> signing method for XRD back in November last year, we were
> hearing from the community that XML DSig is too complex and
> hard to use by some developers. That's why we came up with
> "Simple Sign" which basically signes the blob without any
> cannonicalization.
>
> e.g.,
>
> <SXRD sig="signature"
> sigalg="http://www.w3.org/2000/09/xmldsig#rsa-sha1" certuri="pem file
> location" data="BASE64 of the payload" />
>
> Where:
>
>
> - XRD/@data : Base64 encoded XRD to be signed.
> - XRD/@sig : Signature taken over the original data (before Base64
> encoding).
> - XRD/@certuri: (Optional) Certificate location.Either XRD/@certuri or
> XRD/@certs MUST be present.
> - XRD/@certs : (Optional) The content of XRD/@certuri.If both
> XRD/@certuri and XRD/@certs are present, XRD/@certs takes precidence.
> - XRD/@sigalg : (Optional) Signature Algorithm. Defaults to rsa-sha1.
>
>
> When we started writing spec on such thing, we found that we are
> re-writing
> a lot of things that are already in XML DSig.
> As the result, XML DSig with new canonicalization
> method=no-canonicalization
> was discussed and in the end,
> it seems the discussion precipitated to "After all, constrained XML DSig
> would be good enough."
> Theoretically, it looks good.
>
> The remaining question is then the reality check, such as:
>
> - Is it widely implementable, in each scripting language and hosting
> environment including Google AppEngine, Force.com, etc.?
> - Would the community feel that this is simple enough?
>
> I would appreciate your insight/opinion/input into this matter.
>
> Best,
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Signing-method-for-XRD-tp23956678p23957874.html
Sent from the OpenID - General mailing list archive at Nabble.com.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list