FW: host-meta and "acct:"
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
FW: host-meta and "acct:"
by Peter Williams
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
If you read 10.2
SAML...................................................................................................................................
60 10.2.1 Service Type and Service Media Type.............................................................................
61 10.2.2
Protocol.........................................................................................................................
61 10.2.3 Recursing Authority Resolution........................................................................................
62 10.2.4 Client Validation of
XRDs...............................................................................................
63 10.2.5 Correlation of ProviderID and KeyInfo
Elements............................................................... 64 in the origin al XRI 2.0 draft doc, you see the rules the
processor of the *original* XRD format must follow (in order to embue
the signed blog as a being “SAML token” type – for
“SAML-assured” name resolution amongst other purposes). Now, from what I can tell, the use of SAML markup for xrd
signing had nothing to do with SAML as we know it now in its SSO guise: folks
just borrowed the markup (as was proper) to fashion a method of signing XRDs,
much as Microsoft applied similar markup in cardspace signaling. In doing so, folks could also borrow the semantics of the core
SAML controls that go with SAML type processing. These seems to have been
largely about ensuring that the resulting blob acted as a
“token” - once removed from its issuing context. So,
you can think of the XRI/XRD servers as an early forms of STS: a signed
blob server and signed blob verifier, given the (naming and trust) contexts
that the TTP-grade name-serving apparatus of ibrokers wanted to manage.
Its an idea with a LONG tradition attached (from the secure directory world). Hmm. “Token”, “once signed”,
“removed from its context”. Sounds a bit like a signed
host-meta – an blog XRD sitting on a file server doing what a HTML file
with a few meta tags for links would also do, except it’s a
“bit” easier to parse (I suppose). Now, the host-meta I-D implies that one can sign the elements
(having included a subject field). But, in the transition from XRI to XRD 1.0,
the subject is now just a URI (vs an XML element that used to be able to bear
an xml:id reference). This is what I for my want to know all about - from IETF. How
does one sign an host-meta profiled XRD, considering the content of the subject
in particular. For all I know, given the evidence from XRDS-simple, they are
going to have us do what sort of thing they proposed there, where the URI in
the subject field will have a fragment on the end, indicating the xml:id value.
We don’t know, and we should. Evidently (given the syntax
change), it ain’t gonna happen the way it happened in the era of the
XRI-based signed XRD. For all we know, folks may even decide that the
“xml:id control” (and the providerId control similarly) from the
“SAML-era” signed XRD are not even necessary now. I’m far too far from a standards committee to even guess
at their thinking about security models. But, meantime, it’s hard to
write correctly structure code for the handling the signed type, mean time. We kind of got away from the thread’s subject line, no! From: Peter Williams [mailto:home_pw@...] Yes. Only the XRD element has
an xml:id attribute, schematically. But I could not detect your point, of
saying this fact. And, a subject name is about
an XRD in a context (in general). One such context is the native signing/trust
model (if used). In the secured variant, the
signature metadata has internal an reference within the stream representing the
value. (That’s just how xml dsig works…, irrespective of XRD
typing). Csnider now the the security model of XRD vs blob signing (where the
additional security controls make the XRD into a certificate, essentially) the
referencing model is reinforced: the subject has to refer to the same
internal-stream identifier as was resolved by the xml dsig library. Its not that the xmldsig
library has to confirm/validate the subject. That’s the function of the
validation logic attached to the XRD type itself, as its constructed from the
stream. That logic implement the security model of the type (XRD). I’m going to
assume that the next generation of XRD library (moving beyond
openxri’s initial attempt) will have at least two factories: one derived
from the specification of an unsigned XRD type, and one for signed types. The
factory for signed types will construct class instances that can enforce the
xrd.subject rules. The more basic factory will not. IN fact, an instance as it
constructs from the stream will throw an exception if the subject field is
present (according to todays profile spec). AS I said once before, I
think you are on the right tack challenging the IETF writeup on xrd.subject . Its
just got the wrong focus. It’s not that it MUST always exist per se, but
when it does exist (in the signed variety), IETF should be defining the profile
for that variant too. In that way, the conflicts between the issues of
context-free XRDs and the issues signed XRD can be resolved, and folks know
what to do… when signing host-metas. From: Santosh Rajan [mailto:santrajan@...] Hey Peter, please note that the xml:id refers only
XRD root element as per the XRD 1.0 spec. On Sun, Nov 1, 2009 at 9:17 PM,
Peter Williams <home_pw@...>
wrote: Its (arguably)
better that the ASN.1 SIGNED macro it replaced. That’s because one get to
insert various value/type resolvers into the process (which existed in theory
in the ASN.1 days, but not in reality). Its obviously real, in the XML tooling
era. Now…remember
the comment that xrd.subject is REQUIRED n signed XRDs? Now you have the
explanation! The subject has to bear the xml:id (so one cannot spoof historical
references, when the hash algorithm’s trength starts to fail in the
future). Now, the crypto types will tell you to ensure there is lot of
redundancy in the id component o the xml:id, much like in VeriSign serial
numbers there is also lots of redundancy – preparing for the day when the
particular cipher starts to fails completely (like MD5) and folks get a much
smaller search space to attack you on! Peter. From: Santosh Rajan [mailto:santrajan@...]
If you look at the XML DSig spec there is no association
with any content of the signed XML Doc itself. But I must admit my knowledge of
XML DSig is pretty rusty. On Sun, Nov 1, 2009 at 8:55 PM, Peter Williams <home_pw@...> wrote: The xml:id in
the attribute grammar for the XRD element is still needed for the optional
digital signing feature. (Using xml:id is how xml dig sig resolvers work, by
default; so the library know which bit of the XML document they are typically a
part of they need to hash). On these grounds, it’s not a ROTFL issue (*).
One has to be
careful when signing things playing the role of certificates (vs any other
class of signed type). One needs to get the references right. (Go see how in
XRI 2.0 the xml:id is in both the certified name as well as in
signature’s own metadata referring to the XMl element to be
signed). When I did the
XRI/XRD trusted resolver coding (basically, just finishing off what someone
else had mostly already done in the openxri java source tree), I used the
default resolver of the apache dig sig library to resolve the xml:id field in
the DOM tree representing the XRD typed value. When I did later
experimented with my own resolvers built on the above success (and obviously no
conforming to any standard), I used the http resolver from the apache dig sig
library, initially. This is when I started wondering… well is the
fragment on that http URI essentially playing the role of xpointer (which can
point to such as xml:id in an incoming stream)? Then I got into
semweb, which teaches not to fall into the xpointer type of trap, and let
metadata describe what that http name is all about. Don’t point at format
level constructs by address; do refer to semantic constructs by name. This all made
sense (since dig sigs typically are semantically-unaware, and properly act on
serialization formats (i.e. its propert to use an xml:id class reference). But,
then I got into “higher” xml-design issues address
semantic-security claims - where the blob signer signs not the value in
question but merely a outlier value tied to the signature. It then refers to X.
X are commonly security tokens bound to SOAP headers (see the ws-security
world). But… X can be also be seen as a descriptor – i.e. metadata
that describes external resources using resource description frameworks (be
they XRDs, or RDFs).So it became fun to sign an XRD, where the XRD describes
the semantic-security of other XRDs. But, I was just playing around. So…
ignore! (*) xml dsig is
a ROTFL matter, since it was born out of rejection of the 2 paragraphs ISO took
to specify how to canonicalize BER-encoded TLVs. The DARPA folks trained in
cold war doctrine hated it (mostly because it was ISO defined, where ISO was
evil by definition, since it included evil commie contributions). SO… the
mindset helped engender what we now have…in the xml dsig world (where it
takes entire books to explain its canonicalization process …based on
pattern matching). While it would make sense if anyone used xmldsig in
“intelligent mode”, it doesn’t in practice make sense: as
folks only typically use Xml-dsig for purposes identical with the thing that
took ISO 2 paragraphs to describe! But I think
it’s all ultimately working out for the better. It is time we dumped the
ASN.1-signed cert, and moved to a signed XRD that looks like at least
something design during the lifetime of the web! Ideally we would move straight
to a signed graph, but I dont see much evidence of that happening soon (because
of canoncalization issues, again!) From: Santosh Rajan [mailto:santrajan@...] Hehe Peter, another worm out of the XRD can. Why does XRD 1.0
need to define a xml:id for XRD, given that it is the root element of the XRD,
there can only be one? ROTFL if anyone has forgotten this acronym, it is
"Rolling ON The Floor Laughing". On Sun, Nov 1, 2009 at 3:15 AM, Peter Williams <home_pw@...> wrote:
View this message in context: http://old.nabble.com/host-meta-and-%22acct%3A%22-tp26079872p26146197.html Sent from the OpenID - General mailing list archive at
Nabble.com. _______________________________________________ general mailing list general@... http://lists.openid.net/mailman/listinfo/openid-general |
|
|
Re: FW: host-meta and "acct:"
by Will Norris
::
Rate this Message:
|
| Free embeddable forum powered by Nabble | Forum Help |
