[OpenID] Signing method for XRD

Santosh Rajan santrajan at gmail.com
Sun Jun 14 16:27:51 UTC 2009 

Why don't we do something even simpler.
1) Stick the links to signature and certificate into the xrd.
2) Sign the document using pkcs7.
3) Change the content type of document to "application/sxrd" extension
".sxrd". Note that there will be not "+xml" in the content type, this will
ensure that no application in the pipe will modify the document.

XRD is a completely different ball game. We are potentially looking at a
user base of hundreds of millions, even billions. (Million's of OP's
possibly according some). In such a scenario it would be prudent to go with
something that is simple, ubiquitous and proven like above. Given XMLDSig's
track record we don't want it hamper adoption of XRD.


John Bradley-7 wrote:
> 
> Peter,
> 
> Yes some of us see the possibility of XRD as signed meta-data being a  
> useful alternative to X.509 eventually.
> 
> If we have an signature method that supports enveloping signatures,   
> XRD will be more useful for those applications.
> 
> We can opt for the simplest signing, that of signing the binary  
> representation of the XRD and keeping the signature in a detached file.
> This may make life simpler for scripting languages dealing with  
> cannonicalization  but at the cost of making it awkward to deal with  
> in other environments where having the signature in the same document  
> is very useful.
> 
> Full XMLDsig is ugly because of qnames and other issues.   We are  
> proposing a constrained implementation that eliminates most of the  
> cannonicalization complexities,  but is still compatible with existing  
> libraries.
> 
> John B.
> On 10-Jun-09, at 12:10 PM, general-request at openid.net wrote:
> 
>> Date: Wed, 10 Jun 2009 09:10:44 -0700
>> From: Peter Williams <pwilliams at rapattoni.com>
>> Subject: Re: [OpenID] Signing method for XRD
>> To: Santosh Rajan <santrajan at gmail.com>, "general at openid.net"
>> 	<general at openid.net>
>> Message-ID:
>> 	<BFBC0F17A99938458360C863B716FE46398DCE8FDD at simmbox01.rapnt.com>
>> Content-Type: text/plain; charset="us-ascii"
>>
>>
>> my first reaction was ugh - xml-dsig has its own inband mechanism  
>> for referencing keying material - and here is openid/xrd doing yet  
>> another standard for verifying signatures and validating the  
>> supporting keying material (probably poorly).
>>
>> My second reaction on reflection was that xml-dsig is rarely used to  
>> its full potential. Its typically used as a PKCS7 signing and  
>> sealing emulation modes, with an XML centric view of the world -  
>> with no particular benefit. But, if xml dsig fully uses its external  
>> references, and the references are to a world of XRD files which are  
>> TRUSTED to act as a key distribution mechanism, things get rather  
>> more interesting. In that world, the XRD is becoming a certificate,  
>> as we know it - and one whose format and semantics would enable it  
>> to go beyond the staid ol X.509 cert chains and benefit the full  
>> expression power of xri queries and XRI resolution.
>>
>> What the X.509 v3 format work took part (divorcing asymmetric key  
>> management from dap/ldap resolution), XRI/XRD may be putting back  
>> together: query-based named-key resolution supporting trust fabric  
>> meshes.
>>
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Signing-method-for-XRD-tp23956678p24023272.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list