Perhaps someone from VeriSign (Barry? Gary?) can comment on the viability of
http://xmlsig.sourceforge.net/

Hans



On Wed, Jun 10, 2009 at 11:54 PM, John Panzer<jpan...@acm.org> wrote:
> My general impression is that something that requires two pieces of software
> to agree on an exact, bit for bit infoset representation of an XML document
> in order to get security to work is a poor idea.  I have seen no wide
> deployments/usage of DSig in Atom feeds -- despite it being part of the spec
> -- and many complaints about how it's not possible to get it to work
> reliably given the software stacks currently in use.  The difficulties with
> canonicalization-for-signing in OAuth implementations have also reinforced
> my belief that it's much better to err on the side of the robust and simple.
>
> Signing a stream of uninterpreted bytes cuts out a whole slew of failure
> modes, and the ones that remain are debuggable -- the bytes match or they
> don't, and standard tools can tell you which.  It means it's possible to
> verify a signature with curl + a command line utility.  These are all very
> good things.
>
> (As a side note, it would also make the content type orthogonal to the
> signature code -- this is a good thing.)
>
> So, +1 for the simplest form of signing that could possibly work.
>
> -John
>
>
> Johannes Ernst wrote:
>
> I proposed something I called XML-RSig for similar reasons a few years ago:
>     http://netmesh.info/jernst/Technical/really-simple-xml-signatures.html
>
> "RSig" for "Really simple Signature".
>
> The trouble for OpenID and XRD and so forth is that it is not our core
> competency -- and shouldn't be -- to innovate around things that really
> aren't our business. Signing XML documents isn't our business.
>
> On the other hand, the people whose business it should be somehow seem to be
> asleep at the wheel, as the problems are well-known and somehow aren't being
> addressed, and haven't for years.
>
> It seems to me that the best way out of this conundrum is:
> 1. to foresee, architecturally, the use of several different ways of
> constructing signatures, as the matter clearly isn't settled
> 2. to make sure that high-end approaches (like XML-DSIG) work well, but
> low-end approaches (like XML-RSIG) work just as well
> 3. to maintain a best practices document that says "today, choice X is your
> best bet, and we say that because based on our market research, X has the
> highest market share in terms of implementors today."
>
> As we all know, any problem in computer science can be solved by adding a
> level of indirection. This may well be one of those cases.
>
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
> ________________________________
>
>
>
> ________________________________
>
>  http://netmesh.info/jernst
>
>
>
> ________________________________
> _______________________________________________
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>
> _______________________________________________
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to