Dick Hardt <[EMAIL PROTECTED]> writes: > On 13-Feb-06, at 10:31 AM, John Merrells wrote: > >> >> On 11-Feb-06, at 3:17 PM, Eric Rescorla wrote: >> >>> Method of ticket validation >>> This draft validates the ticket by having the Membersite send a >>> digest >>> to the Homesite and get an ACK. It's not clear why this is desirable. >>> Wouldn't it be simpler to have the Homesite digitally sign the ticket >>> (the key could be delivered in the initial capabilities discovery >>> phase) and then let the Membersite do the verification directly? >>> I appreciate that there's a freshness concern, but this can >>> be alleviated using the usual nonce-based anti-replay techniques. >> >> The motivation wasn't freshness. The dix:/message-id parameter >> is a nonce that takes care of this. >> >> The motivation was to get all the binary crypto code out of the MS to >> ease adoption. We learnt from our prior experience with the SXIP >> protocol that this was a barrier to adoption. Writing good DSIG code >> for all platforms/stacks/languages is tedious and expensive and worse >> increases the number of lines of code that a MS developer has to >> write to enable a site. [SXIP 1.0 worked this way.] > > Just to clarify, getting someone to install or dynamic language > script or module is *way* easier then installing a binary. > > XML DSIG libraries are not widely available at this time for the > scripting platforms.
Who said anything about XML DSIG? I just said you could use a digital signature, which doesn't require XML at all. -Ekr _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
