Fwd: [OpenID] Signing method for XRD

David Recordon david at sixapart.com
Wed Jun 10 17:57:41 UTC 2009 

The specs list feels like a better home for this thread. :) 


--David 

----- "Nat Sakimura" <sakimura at gmail.com> wrote: 
> Hi all: 
> 
> At XRI TC of OASIS Open, we are talking about the signing method for XRD. 
> The current trend in the TC is that to use a constrained form of XML DSig, 
> which is found in the SAML Core spec. We are almost deciding on it, 
> but I would like to hear from the community that if it would be OK. 
> 
> The reason I ask this was that when we started to discuss the 
> signing method for XRD back in November last year, we were 
> hearing from the community that XML DSig is too complex and 
> hard to use by some developers. That's why we came up with 
> "Simple Sign" which basically signes the blob without any 
> cannonicalization. 
> 
> e.g., 
> 
> <SXRD sig="signature" sigalg=" http://www.w3.org/2000/09/xmldsig#rsa-sha1 " certuri="pem file location" data="BASE64 of the payload" /> 
> 
> Where: 
> 

    • XRD/@data : Base64 encoded XRD to be signed. > 
    • XRD/@sig : Signature taken over the original data (before Base64 encoding). 
    • XRD/@certuri: (Optional) Certificate location.Either XRD/@certuri or XRD/@certs MUST be present. 
    • XRD/@certs : (Optional) The content of XRD/@certuri.If both XRD/@certuri and XRD/@certs are present, XRD/@certs takes precidence. 
    • XRD/@sigalg : (Optional) Signature Algorithm. Defaults to rsa-sha1. 

> When we started writing spec on such thing, we found that we are re-writing a lot of things that are already in XML DSig. 
> As the result, XML DSig with new canonicalization method=no-canonicalization was discussed and in the end, 
> it seems the discussion precipitated to "After all, constrained XML DSig would be good enough." 
> Theoretically, it looks good. 
> 
> The remaining question is then the reality check, such as: 
> 

    • Is it widely implementable, in each scripting language and hosting environment including Google AppEngine, Force.com, etc.? 
    • Would the community feel that this is simple enough? > 

I would appreciate your insight/opinion/input into this matter. 
> 
> Best, 
> 
> -- 
> Nat Sakimura (=nat) 
> http://www.sakimura.org/en/ 
> 
> _______________________________________________ general mailing list general at openid.net http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090610/28761a49/attachment.htm>

More information about the specs mailing list