<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'>The specs list feels like a better home for this thread. :)<div><br></div><div>--David</div><div><br>----- "Nat Sakimura" <sakimura@gmail.com> wrote:
<br>> Hi all: <br>> <br>> At XRI TC of OASIS Open, we are talking about the signing method for XRD. <br>> The current trend in the TC is that to use a constrained form of XML DSig, <br>> which is found in the SAML Core spec. We are almost deciding on it, <br>>
but I would like to hear from the community that if it would be OK. <br>> <br>> The reason I ask this was that when we started to discuss the <br>> signing method for XRD back in November last year, we were <br>> hearing from the community that XML DSig is too complex and <br>>
hard to use by some developers. That's why we came up with <br>> "Simple Sign" which basically signes the blob without any <br>> cannonicalization. <br>> <br>> e.g., <br>> <br>> <pre><SXRD sig="signature" sigalg="<a href="http://www.w3.org/2000/09/xmldsig#rsa-sha1" target="_blank">http://www.w3.org/2000/09/xmldsig#rsa-sha1</a>" certuri="pem file location" data="BASE64 of the payload" /><br>>
<br>> Where: <br>> <span class="anchor" id="line-14"></span></pre><span class="anchor" id="line-15"></span><ul><li>XRD/@data : Base64 encoded XRD to be signed. <span class="anchor" id="line-16"></span><span class="anchor" id="line-17"></span><br>>
</li><li>XRD/@sig : Signature taken over the original data (before Base64 encoding). <span class="anchor" id="line-18"></span><span class="anchor" id="line-19"></span></li><li>XRD/@certuri: (Optional) Certificate location.Either XRD/@certuri or XRD/@certs MUST be present. <span class="anchor" id="line-20"></span><span class="anchor" id="line-21"></span></li>
<li>XRD/@certs
: (Optional) The content of XRD/@certuri.If both XRD/@certuri and
XRD/@certs are present, XRD/@certs takes precidence. <span class="anchor" id="line-22"></span><span class="anchor" id="line-23"></span></li><li>XRD/@sigalg : (Optional) Signature Algorithm. Defaults to rsa-sha1. </li></ul>
<br>> When we started writing spec on such thing, we found that we are re-writing a lot of things that are already in XML DSig. <br>> As the result, XML DSig with new canonicalization method=no-canonicalization was discussed and in the end, <br>>
it seems the discussion precipitated to "After all, constrained XML DSig would be good enough." <br>> Theoretically, it looks good. <br>> <br>> The remaining question is then the reality check, such as: <br>> <ul><li>Is it widely implementable, in each scripting language and hosting environment including Google AppEngine, Force.com, etc.?</li>
<li>Would the community feel that this is simple enough? <br>> </li></ul>I would appreciate your insight/opinion/input into this matter. <br>> <br>> Best, <br>> <br>> -- <br>> Nat Sakimura (=nat)<br>> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>>
<br>> _______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
</div></div></body></html>