- From: Scott Cantor <cantor.2@osu.edu>
- Date: Sun, 18 Jan 2009 18:51:51 -0500
- To: "'XMLSec WG Public List'" <public-xmlsec@w3.org>
I couldn't find a formal action, but I was asked to write up a use case related to signing HTTP messages, similar to what part of the OAuth spec is supporting. Currently the handful of techniques for signing in HTTP, such as OAuth and the SAML Simple-Sign binding, do not use XML Signature or express the resulting signature information as XML using the XML Signature schema. One reason is that the spec requires that digested content be referenced with a URI. Examples of the kind of content that people would like to sign include: - HTTP query string parameters - HTML form elements as submitted in an HTTP request body - other HTTP request body content - HTTP headers A natural way to use XMLSignature in such a use case would be to include a ds:Signature element in an HTTP request body (as an encoded parameter), but there is no URI scheme that would permit referencing any of those kinds of content from within an HTTP request body. At the face to face, it was briefly noted that it would be logical for some other group to remedy this by defining such a URI scheme, but would not normally be a job for the XML Security WG. While this makes sense, it occurs to me that recent history suggests that proposals for new URI schemes aren't exactly being received very cordially at the moment. Perhaps I'm misreading some of that past discussion, though. -- Scott
Received on Sunday, 18 January 2009 23:52:28 UTC