W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2009

Use case for a reference syntax for HTTP message content

From: Scott Cantor <cantor.2@osu.edu>
Date: Sun, 18 Jan 2009 18:51:51 -0500
To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <022f01c979c7$bbfc3290$33f497b0$@2@osu.edu>

I couldn't find a formal action, but I was asked to write up a use case
related to signing HTTP messages, similar to what part of the OAuth spec is
supporting.

Currently the handful of techniques for signing in HTTP, such as OAuth and
the SAML Simple-Sign binding, do not use XML Signature or express the
resulting signature information as XML using the XML Signature schema. One
reason is that the spec requires that digested content be referenced with a
URI.

Examples of the kind of content that people would like to sign include:

- HTTP query string parameters
- HTML form elements as submitted in an HTTP request body
- other HTTP request body content
- HTTP headers

A natural way to use XMLSignature in such a use case would be to include a
ds:Signature element in an HTTP request body (as an encoded parameter), but
there is no URI scheme that would permit referencing any of those kinds of
content from within an HTTP request body.

At the face to face, it was briefly noted that it would be logical for some
other group to remedy this by defining such a URI scheme, but would not
normally be a job for the XML Security WG. While this makes sense, it occurs
to me that recent history suggests that proposals for new URI schemes aren't
exactly being received very cordially at the moment. Perhaps I'm misreading
some of that past discussion, though.
 
-- Scott
Received on Sunday, 18 January 2009 23:52:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT