W3C home > Mailing lists > Public > public-xmlsec@w3.org > August 2008

Re: Some strawman ideas for a minimum DSig profile

From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 21 Aug 2008 13:51:09 -0400
Message-ID: <48ADAB0D.1040309@osu.edu>
To: Sean Mullan <Sean.Mullan@Sun.COM>
CC: Kelvin Yiu <kelviny@exchange.microsoft.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>

Sean Mullan wrote:
> It also occured to me that many of these minimal processing and 
> verification issues could be solved if the xml signature was always 
> stored in a separate xml document, and somehow safely associated or 
> packaged with what it is signing (like a zip file).

I guess it's relevant to my action item, so I'll point out that if you're 
going to do that, there is very little value to signing it as XML or 
producing a signature that's XML. That's much easier to do with S/MIME (or 
something like what we did with the alternate SAML binding).

I think that it's worth considering that it may not be up to this WG 
necessarily to "fix" XML Signature, so much as to push back on some of the 
places where it's been used perhaps without need.

There are other changes to specs like WS-Security or its profiles that also 
could address some of the problems that we're trying to slog through. For 
example, the c14n issues with namespaces are much worse when you have to 
nest XML inside of XML. If you base64 the XML (e.g. a SAML assertion) and 
put that into a WSS header instead of the XML itself, you get a much more 
robust situation.

-- Scott
Received on Thursday, 21 August 2008 17:52:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:54 GMT