W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] Digsig optimization

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Fri, 27 Feb 2009 08:18:41 -0500
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "public-webapps@w3.org WG" <public-webapps@w3.org>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Message-Id: <5319A93D-F685-47CC-90D0-C2C4B926CBAA@nokia.com>
To: "marcosc@opera.com" <marcosc@opera.com>

Yes, logically there would be two self contained signatures with  
references to every file in the package.

Again Policy indicates which signatures must be verified. What does  
the packaging spec currently say? To date it has been one distributor  
spec that must be verified. We should be clearer on this - I think  
this goes with the changes we make regarding filename sorting and  

However if both are to be verified, and if the algorithms are the same  
(which is currently the case given one hash algorithm in widget  
signatures) an implementation could be smart and calculate the  
reference hashes once, eliminating that overhead if it were a concern.

regards, Frederick

Frederick Hirsch

On Feb 27, 2009, at 6:48 AM, ext Marcos Caceres wrote:

> Hi Frederick, Mark,
> I have a concern wrt the author signature. It seems that both the
> author signature and the distributor signature need to sign every file
> in the package. Does this mean that, to verify a package, you would
> need to effectively verify everything in the package twice? or is
> verification of the author signature optional?
> Kind regards,
> Marcos
> --
> Marcos Caceres
> http://datadriven.com.au
Received on Friday, 27 February 2009 13:19:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC