Hi all: <br><br>At XRI TC of OASIS Open, we are talking about the signing method for XRD. <br>The current trend in the TC is that to use a constrained form of XML DSig, <br>which is found in the SAML Core spec. We are almost deciding on it, <br>
but I would like to hear from the community that if it would be OK. <br><br>The reason I ask this was that when we started to discuss the <br>signing method for XRD back in November last year, we were <br>hearing from the community that XML DSig is too complex and <br>
hard to use by some developers. That's why we came up with <br>"Simple Sign" which basically signes the blob without any <br>cannonicalization. <br><br>e.g., <br><br><pre><SXRD sig="signature" sigalg="<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>" certuri="pem file location" data="BASE64 of the payload" /><br>
<br>Where: <br><span class="anchor" id="line-14"></span></pre><span class="anchor" id="line-15"></span><ul><li>XRD/@data : Base64 encoded XRD to be signed. <span class="anchor" id="line-16"></span><span class="anchor" id="line-17"></span><br>
</li><li>XRD/@sig : Signature taken over the original data (before Base64 encoding). <span class="anchor" id="line-18"></span><span class="anchor" id="line-19"></span></li><li>XRD/@certuri: (Optional) Certificate location.Either XRD/@certuri or XRD/@certs MUST be present. <span class="anchor" id="line-20"></span><span class="anchor" id="line-21"></span></li>
<li>XRD/@certs
: (Optional) The content of XRD/@certuri.If both XRD/@certuri and
XRD/@certs are present, XRD/@certs takes precidence. <span class="anchor" id="line-22"></span><span class="anchor" id="line-23"></span></li><li>XRD/@sigalg : (Optional) Signature Algorithm. Defaults to rsa-sha1. </li></ul>
<br>When we started writing spec on such thing, we found that we are re-writing a lot of things that are already in XML DSig. <br>As the result, XML DSig with new canonicalization method=no-canonicalization was discussed and in the end, <br>
it seems the discussion precipitated to "After all, constrained XML DSig would be good enough." <br>Theoretically, it looks good. <br><br>The remaining question is then the reality check, such as: <br><ul><li>Is it widely implementable, in each scripting language and hosting environment including Google AppEngine, Force.com, etc.?</li>
<li>Would the community feel that this is simple enough? <br></li></ul>I would appreciate your insight/opinion/input into this matter. <br><br>Best, <br><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br>