- From: Ed Simon <edsimon@xmlsec.com>
- Date: Mon, 20 Oct 2003 11:16:03 -0400
- To: "Gino Tesei" <gino.tesei@ekar.it>, <w3c-ietf-xmldsig@w3.org>
- Message-ID: <009901c3971d$15b253c0$0200a8c0@XMLSEC001>
Calculating the DigestValue over an Object URIThis has been a great discussion. I'd just add in reference to Gino's original note that, I would expect that the web service he describes to potentially encompass authorization, multi-reference and multiple digital signatures. Even noting that though XML Signature and SAML are comfortably mature, WS-Security is (hopefully) just about to give birth to its first official standards, it would be a pretty safe bet that using an XML Signature/WS-Security/SAML(?) architecture is going to be a lot less expensive and much more future-proof than a roll-your-own approach. (Note that everything I've said here is based on a very cursory and limited analysis; a real recommendation would be based on a much more thorough review of the particular situation.) Regards, Ed ----------------------------------------------------------------------------------------------------------------------- Ed Simon <edsimon@xmlsec.com> (613) 726-9645 XMLsec Inc. Interested in XML Security Consulting and Training services? Visit "www.xmlsec.com". Now available! "Web Services Security" published by Osborne (ISBN 0072224711) ----- Original Message ----- From: Gino Tesei To: w3c-ietf-xmldsig@w3.org Sent: Friday, October 17, 2003 8:10 AM Subject: How much XML Signature is mature? Hi all, I'm Gino Tesei and I'm new both this mailing list and XML Signature Technology. I'm sorry in advance for possible technical inaccuracies. I'd like to have your opinions about the maturity of XML Signature Technology for real big projects with very strict legal reaquirements. Just two words to introduce a possible business scenario & some functional requirements. Let say that the "big" Bank (BB) want to publish a set of services (Web Services) for "smaller" (SS) banks, for a set of business reasons. For instance, in our SOA conceptual model a possible service can be Pay with Credit Card < in cc_num>. SS's customers have, hence, the possibility of paying with a their (normal) credit card, but SS don't communicate directly with Credit Card providers for all finer grained services to implement the above function (e.g. "is such a number a valid & correct CC card number?" or "is such a valid CC card number related to the given customer?"), but use BB as "a proxy" service provider. Obviously, such a service will be not free :) ... Now, in order to get the non-repudiation capability we have to handle signatures. Possible options are handling signatures at application level (e.g. using J2SE support) or using XML Signature. Both solutions can work but (Applic Level) developers have to write code by their hands to handle digests, signatures, certs, ... it's suitable having a self made framework ... new business partners have to agree to such a "self made standard", ... (XML Signature) developers use a (Java?) implemetation of standard ... no a self made framework is required ... new business partners agree to XML Signature ... It's obvious that if XML Signature is mature enough (implementations robust, easy to use, integrated with IDEs or dev frameworks such as J2SE ... ) the latter is the best solution ... What's your opinion about such issues? What's new in six months? Thanks in advance. Gino Tesei ------------------------------------------------------------------- Gino Tesei Senior Consultant Ekar - Altran Group Via G. Modena, 10 - 20129 MILANO, ITALY Tel +39 027481191 - Fax: +39 027386847 -------------------------------------------------------------------
Received on Monday, 20 October 2003 11:16:26 UTC