- From: Scott Cantor <cantor.2@osu.edu>
- Date: Thu, 21 Aug 2008 13:51:09 -0400
- To: Sean Mullan <Sean.Mullan@Sun.COM>
- CC: Kelvin Yiu <kelviny@exchange.microsoft.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Sean Mullan wrote: > It also occured to me that many of these minimal processing and > verification issues could be solved if the xml signature was always > stored in a separate xml document, and somehow safely associated or > packaged with what it is signing (like a zip file). I guess it's relevant to my action item, so I'll point out that if you're going to do that, there is very little value to signing it as XML or producing a signature that's XML. That's much easier to do with S/MIME (or something like what we did with the alternate SAML binding). I think that it's worth considering that it may not be up to this WG necessarily to "fix" XML Signature, so much as to push back on some of the places where it's been used perhaps without need. There are other changes to specs like WS-Security or its profiles that also could address some of the problems that we're trying to slog through. For example, the c14n issues with namespaces are much worse when you have to nest XML inside of XML. If you base64 the XML (e.g. a SAML assertion) and put that into a WSS header instead of the XML itself, you get a much more robust situation. -- Scott
Received on Thursday, 21 August 2008 17:52:33 UTC