W3C home > Mailing lists > Public > public-xmlsec@w3.org > March 2010

RE: May I introduce myself...

From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 2 Mar 2010 11:57:46 -0500
To: "'Meiko Jensen'" <Meiko.Jensen@ruhr-uni-bochum.de>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <00e201caba29$7b832c20$72898460$@2@osu.edu>
> Hence, I'll try to support the ongoing efforts regarding stream-based
> application and verification of XML Signatures, and also try to provide
> solutions to the issues we discovered (e.g. the namespace injection
stuff).
> 
> Being too late for the 1.1 drafts (as far as I understood), I'll focus
> on the 2.0 versions of XML Signature and Canonical XML, and on the best
> practices documents.

I wanted to note that in theory if there were constraints we could get
agreement on that would mitigate certain problems, they might be feasible to
impose at the spec level, even if they're not precisely testable. In other
words, we could say you MUST do X, if only to make problem cases
non-conformant. We're free to do that in the case of the new transform
model, since we're defining what it permits.

> I hope to be helpful in terms of security analysis, providing best
> practices against attacks and misconfigurations. Potentially, we can
> also contribute basic reference implementations (being a university, we
> sometimes manage to attract clever students for doing their master
> thesis on such implementations. Maybe I can find one...).

Not to get ahead of things, but if you happen to find such resources, my
open source project (Shibboleth) is a candidate code base to add such
support to. We're currently using the Apache implementation, but there's a
decent chance if we did anything with 2.0, we'd be starting a new one from
scratch in Java and C++.

-- Scott
Received on Tuesday, 2 March 2010 16:58:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 March 2010 16:58:16 GMT