[OpenID] Signing method for XRD
Santosh Rajan
santrajan at gmail.com
Mon Jun 15 04:10:58 UTC 2009
Peter Williams wrote:
>
>
> go with a minimum to implement scheme. Don't assume folks use xml dsig
> libraries. Assume they custom code, and call crypto directly. This
> reflects the nature of the openid community, which is not w3c traditional
> (its not sun, microsoft, ibm, etc)
>
>
+1
>
> DO use modern w3c efforts in derivedKey types from xml dsig 1.1. Allow the
> signature algorithm to be keyed by a derived key, which may even thus be
> derived from a kerberos token (meaning xrd signing avoids the limits of
> public key). This learns from what ws* secureconversation techniques
> taught us.
>
> Relying on derived keys, and custom software at the app layer, nicely
> decouples how one trusts the verification key from that which openid/XRI
> really need to do: get authenticated XRDs out there, without relying on
> full XRI Resolution and saml tokens. Specifying all the legitimate ways
> of deriving keys from authenticated keying material is not something XRD
> signing spec need be concerned with. A non-normative annex might however
> specify how one can derive a symmetric hmac-signing key from an openid
> association handle's master secret, illustrating how even openid auth
> itself may provide the underlying basis for verifying signatures on SEP
> discovery documents.
>
>
Sounds good, but don't know enough about this to give it a +1.
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Signing-method-for-XRD-tp23956678p24028611.html
Sent from the OpenID - General mailing list archive at Nabble.com.
More information about the general
mailing list