Suggestion: a developer friendly, secure API #238
Comments
|
Hi @lukaszmakuch ! I don't mean to hijack this topic to self-promote here, but I've been working on something like this for a while and I'm curious to know what you think about this library. The signature-part is done, the encryption-part is a WIP. It's API is made so it has zero-to-no room for mis-use. |
(Disclaimer: not a PHP developer.) It appears that the library you linked to requires some custom trait implementations. If I were implementing XML-DSIG, the API I would provide is basically the high-level API @lukaszmakuch mentioned, with whatever restrictions make sense for a given use-case. |
|
@DemiMarie This is not true. What trait implementations are you referring to? Have you read the README? |
I did read the README, but I think the |
Hi! 👋
I'd like to thank everyone who has ever worked on this library, as it has helped me build things I wouldn't have built otherwise.
After years of using it, I understood XML Signatures better and I noticed some issues which I believe could be avoided if the API was simpler.
I'd like to propose adding a high-level API that makes our apps harder to hack. Here's how it'd look:
and
You can read the rationale behind it in this blog post - Your XML security library is sabotaging your work. Here's what you can do about it. It's evident verifying signatures poses a real challenge. An example is described in a post titled Are XML Signatures secure?.
The current, low-level API doesn't have to be removed, so everything can be backward-compatible.
The new, safer API can be built on top of the existing one.
Should we help developers deliver secure solutions?
The text was updated successfully, but these errors were encountered: