W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] Digsig optimization

From: Marcos Caceres <marcosc@opera.com>
Date: Fri, 27 Feb 2009 15:33:39 +0100
Message-ID: <b21a10670902270633m5c15849fuf383a4c1343cd615@mail.gmail.com>
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Cc: "public-webapps@w3.org WG" <public-webapps@w3.org>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Hi Frederick,
On Fri, Feb 27, 2009 at 2:18 PM, Frederick Hirsch
<Frederick.Hirsch@nokia.com> wrote:
> Marcos
> Yes, logically there would be two self contained signatures with references
> to every file in the package.
> Again Policy indicates which signatures must be verified. What does the
> packaging spec currently say?

It says, "see Widgets Digsig Spec" :)

> To date it has been one distributor spec that
> must be verified. We should be clearer on this - I think this goes with the
> changes we make regarding filename sorting and processing.

The P&C just hands the list of signatures to the Dig Sig spec.

> However if both are to be verified, and if the algorithms are the same
> (which is currently the case given one hash algorithm in widget signatures)
> an implementation could be smart and calculate the reference hashes once,
> eliminating that overhead if it were a concern.

Right, but using the same algorithms is not guaranteed.

Kind regards,

Marcos Caceres
Received on Friday, 27 February 2009 14:34:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC