<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
John Bradley wrote:
<blockquote cite="mid:5ED12C6B-13E5-4553-A430-947DE5BEA39A@wingaa.com"
type="cite">Peter,
<div><br>
</div>
<div>Yes some of us see the possibility of XRD as signed meta-data
being a useful alternative to X.509 eventually.</div>
<div><br>
</div>
<div>If we
have an signature method that supports enveloping signatures, XRD will be more useful for those applications.</div>
<div><br>
</div>
<div>We can opt for the simplest signing, that of signing the binary
representation of the XRD and keeping the signature in a detached file. </div>
<div>This may make life simpler for scripting languages dealing with
cannonicalization but at the cost of making it awkward to deal with in
other environments where having the signature in the same document is
very useful.</div>
</blockquote>
For the record, and for those of us not versed in X.509, can provide
some use cases and details on how having the signature in the XRD doc
is necessary/useful for for XRD?<br>
<br>
<br>
<blockquote cite="mid:5ED12C6B-13E5-4553-A430-947DE5BEA39A@wingaa.com"
type="cite">
<div><br>
</div>
<div>Full XMLDsig is ugly because of qnames and other issues. We
are proposing a constrained implementation that eliminates most of the
cannonicalization complexities, but is still compatible with existing
libraries.</div>
<div><br>
</div>
<div>John B.<br>
<div>
<div>On 10-Jun-09, at 12:10 PM, <a moz-do-not-send="true"
href="mailto:general-request@openid.net">general-request@openid.net</a>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span"
style="font-family: monospace;">Date: Wed, 10 Jun 2009 09:10:44 -0700<br>
From: Peter Williams <<a moz-do-not-send="true"
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
Subject: Re: [OpenID] Signing method for XRD<br>
To: Santosh Rajan <<a moz-do-not-send="true"
href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>>, "<a
moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a>"<br>
<span class="Apple-tab-span" style="white-space: pre;"> </span><<a
moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<span class="Apple-tab-span" style="white-space: pre;"> </span><<a
moz-do-not-send="true"
href="mailto:BFBC0F17A99938458360C863B716FE46398DCE8FDD@simmbox01.rapnt.com">BFBC0F17A99938458360C863B716FE46398DCE8FDD@simmbox01.rapnt.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
<br>
my first reaction was ugh - xml-dsig has its own inband mechanism for
referencing keying material - and here is openid/xrd doing yet another
standard for verifying signatures and validating the supporting keying
material (probably poorly).<br>
<br>
My second reaction on reflection was that xml-dsig is rarely used to
its full potential. Its typically used as a PKCS7 signing and sealing
emulation modes, with an XML centric view of the world - with no
particular benefit. But, if xml dsig fully uses its external
references, and the references are to a world of XRD files which are
TRUSTED to act as a key distribution mechanism, things get rather more
interesting. In that world, the XRD is becoming a certificate, as we
know it - and one whose format and semantics would enable it to go
beyond the staid ol X.509 cert chains and benefit the full expression
power of xri queries and XRI resolution.<br>
<br>
What the X.509 v3 format work took part (divorcing asymmetric key
management from dap/ldap resolution), XRI/XRD may be putting back
together: query-based named-key resolution supporting trust fabric
meshes.<br>
<br>
</span></blockquote>
</div>
<br>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>