Re: [Opensst-developer] Re: SAML

[Pascal S. <Pas...@se...>]

Hi,

If your are looking to use XML Sig / Enc as a replacement of the current
openSST message format, maybe you can take a look at the openXades
project (http://www.openxades.org/),  developped by the estonian CA (SK,
http://www.sk.ee/, see also http://www.id.ee/). They also used the
concept of a generic XML message (well they call it document) format for
storing the data to be signed or encrypted. Only hick, is that the
mainly focus on signing and not so much on encryption, but it could
maybe help you anyway.

Regards,

Pascal

On Thu, 2003-08-14 at 11:18, Alexandre Dulaunoy wrote:

> On Thu, 14 Aug 2003, Sebastien Stormacq - Senior Architect - Software S=
ervices Belux wrote:
>=20
> > Hello,
> >=20
> > Once again ... I think it migth be interresting to investigate the SA=
ML=20
> > spec to replace / embrace the existing opensst message format
> >=20
> > http://weblogs.java.net/pub/wlg/331
> >=20
>=20
> SAML is  'mainly' of the exchange of  authentication and authorization
> date in a XML format. SAML is only a part of Web Services security and
> do  not provide 'directly'  a new  general format  for post-processing
> message or signed messages. So I can't see where we can use it for the
> message  format.   SAML  is a  friend  of  XACML.   SAML can  use  XML
> Signature  /  XML  Encryption  standard  and  they  are  not  directly
> connected. =20
>=20
> I tend to consider that  XML Signature / XML Encryption standard[3][4]
> is a possible replacement for the current OpenSST message format. They
> are implementation (one year ago  it wasn't the case) of XML Signature
> / XML Encryption  standard available and working quite  well.  For the
> XML Security Library[1] done by Aleksey Sanin is an excellent piece of
> software. They are  existing method and approch for  session key based
> messages                                                              :
> http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html.=
=20
>=20
> The main issue  is the complexity of the standard  itself, look at the
> MUST/SHOULD keyword in the  standard. Sometimes (often?), the standard
> is  not  fully  supported  by   lack  of  various  encryption  in  the
> cryptography librairies[2]=20
>=20
> So building, a small message format using (a subset?) of XML Signature
> / XML Encryption seems quite possible.=20
>=20
> The main advantage of XML Sig/Enc  is that can be applied to arbitrary
> digital  content. We  have also  to  dig the  Canonical and  Exclusive
> Canonical  issue in  order  to provide  an  easy way,  they are  somes
> libraries available doing that (for example, the example Gnome Libxml2
> library).=20
>=20
> So we can imagine, an existing <OpenSSTdata part>/<OpenSSTheader part>
> with  an enveloping signature  <Object><data id  part />  <header part
> /></Object or a  detached signature (with an uri  reference inside the
> document).=20
>=20
> For the encryption, we can  imagine an encryption on the whole element
> (in  a first  version) of  OpenSSTdata part  (header to  ?  or another
> encapsulated        header       part        ?).       <EncryptedData>
> <CipherData><CipherValue>...<CipherValue>...=20
>=20
> The ordering is  easily solve by following the  ordering of decryption
> and verification in the standard. (xmlenc-decrypt)
>=20
> What do you think of that ? We have to define the data part (quite the
> same as the current part ?) and the header part (is it needed?) ?=20
>=20
> Thanks,
>=20
> Have a nice day,
>=20
> adulau
>=20
> [1] http://www.aleksey.com/xmlsec/
> [2] http://www.aleksey.com/xmlsec/xmldsig.html
> [3] http://www.w3.org/TR/xmldsig-core/
> [4] http://www.w3.org/TR/xmlenc-core/

--=20
Pascal Steichen

Minist=C3=A8re de l'Economie
Direction de l'Energie et des Communications

LuxTrust GIE

19-21 boulevard Royal
L-2449 Luxembourg

t=C3=A9l: +352 478 4179
fax: +352 478 4311
e-mail: pas...@se...