Thought I'd ping this thread even though it's been awhile. I have some of the same questions as Sam as I delve further into signed assertions.
Thanks,
k
--
Hi Nate,
My apologies in advance: I'm typing this on an android with very little sleep.
HMAC based algorithms are commonly used for passwords because MAC stands for Message Authentication Code -- meaning both parties need to have the same code, or password, to then prove the source of the message without leaking the key to eavesdroppers. It's a "shared secret".
Public-private key signing, as opposed to general hashing and encryption, unlike HMAC, is about saying "I did this" without sharing the secret.
An algorithm, possibly the correct one, is: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-13#section-3.3
Here are some examples of the signing, though light on verification detail: http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06#appendix-A.2
In contrast to RSA algorithms, there are shorter signature length ECDSA versions. In SSL, these can be used to provide what's advertised as "perfect" forward secrecy. (Meaning even if the private key is broken, they provide a way of randomizing the encryption in use at that moment such that recorded data can't be easily captured and decrypted later.) You can see an example of this mentioned in that text, as it notes you cannot exactly duplicate a signature by running the algorithm again. You'll instead have a different, yet still valid, signature. This extra instability is what lets you get away with smaller key sizes-- the built-in unpredictable nature of the output helps keep things random even with fewer encoded characters, or bytes.
http://rsapss.hboeck.de/rsapss.pdf
Anyway, to wrap up, the previous link appears to be an excellent introductory resource, though note the date and the emphasis on the distinction of a secure algorithm vs a secure implementation. Algorithms can be secure but then their implementations can be vulnerable. There's plenty more online, including the GRC/Twit production of Security Now and the Security StackExchange site. I'm sure Googling the different terms will reveal even more resources.
As to revocations, as I hinted at earlier, I think it might be an interesting idea for a verification tool or service to have a bundle of verified providers, of known trusted keys like SSL relies on today. And like SSL, this works best as Chrome has shown, if such revocation and key checking is performed locally at the browser to ensure verification sites aren't spoofed. That said, while useful for SSL, it might be overkill or itself attackable with fewer benefits for low-volume verifications. And if we run over SSL, such certificate integrity checking is less necessary. Properly secured SSL could help validate the source of a public key and revocation list.
Louis.
--