- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 14 Apr 2009 11:27:51 +0300
- To: public-webapps <public-webapps@w3.org>
I noticed that widget packaging uses XML signatures (notorious for bugs in canonicalization/reserialization code) for signing zip files. However, signing zip files has been solved long ago for Java jar files. The mechanism or a variation of it is also used for Mozilla xpi files and ODF documents. Wouldn't it be simpler to use jar signing instead of inventing a new way of signing zip files with implementation dependencies on XML signatures and spec dependencies on XSD? (Why does the spec have dependencies on XSD?) Jar signing is pretty simple compared to XML canonicalization & reserialization. When you need to reserialize XML, you import all the troubles of serializing XML (see e.g. https://issues.apache.org/bugzilla/buglist.cgi?query_format=advanced&product=Security&component=Canonicalization&cmdtype=doit ). The META-INF folder is ugly, but unsigned widgets could omit it, and it isn't much uglier than an XML signature file on the top level of the zip archive. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 14 April 2009 08:28:35 UTC