Open lukaszmakuch opened 2 years ago
Hi @lukaszmakuch ! I don't mean to hijack this topic to self-promote here, but I've been working on something like this for a while and I'm curious to know what you think about this library. The signature-part is done, the encryption-part is a WIP. It's API is made so it has zero-to-no room for mis-use.
Hi @lukaszmakuch ! I don't mean to hijack this topic to self-promote here, but I've been working on something like this for a while and I'm curious to know what you think about this library. The signature-part is done, the encryption-part is a WIP. It's API is made so it has zero-to-no room for mis-use.
(Disclaimer: not a PHP developer.)
It appears that the library you linked to requires some custom trait implementations. If I were implementing XML-DSIG, the API I would provide is basically the high-level API @lukaszmakuch mentioned, with whatever restrictions make sense for a given use-case.
@DemiMarie This is not true. What trait implementations are you referring to? Have you read the README? I don't see how things can get more high level than feeding the library with a key, an algorithm and the XML that has to be signed..
@DemiMarie This is not true. What trait implementations are you referring to? Have you read the README? I don't see how things can get more high level than feeding the library with a key, an algorithm and the XML that has to be signed..
I did read the README, but I think the getId()
method combined with the lack of an example that took only strings as input confused me. As I said, I am not a PHP developer, though I know the basic syntax of the language.
Hi! 👋
I'd like to thank everyone who has ever worked on this library, as it has helped me build things I wouldn't have built otherwise.
After years of using it, I understood XML Signatures better and I noticed some issues which I believe could be avoided if the API was simpler.
I'd like to propose adding a high-level API that makes our apps harder to hack. Here's how it'd look:
and
You can read the rationale behind it in this blog post - Your XML security library is sabotaging your work. Here's what you can do about it. It's evident verifying signatures poses a real challenge. An example is described in a post titled Are XML Signatures secure?.
The current, low-level API doesn't have to be removed, so everything can be backward-compatible.
The new, safer API can be built on top of the existing one.
Should we help developers deliver secure solutions?