W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Jar signing vs. XML signatures

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 14 Apr 2009 10:57:29 +0200
To: Henri Sivonen <hsivonen@iki.fi>
Message-Id: <3BFF03AF-E7B2-4A7D-9DCB-7F18D18F8380@w3.org>
Cc: public-webapps <public-webapps@w3.org>
On 14 Apr 2009, at 10:27, Henri Sivonen wrote:

> Wouldn't it be simpler to use jar signing instead of inventing a new  
> way of signing zip files with implementation dependencies on XML  
> signatures and spec dependencies on XSD? (Why does the spec have  
> dependencies on XSD?)

Which XSD dependency do you mean?  The only XSD dependencies I could  
think of right now are ones that say things like "the value of this  
attribute is of type anyURI" or "the value space of this element is a  
restriction on the base64Binary XSD type."  XML Signature does not  
require schema validation, or anything like that.

> When you need to reserialize XML, you import all the troubles of  
> serializing XML (see e.g. https://issues.apache.org/bugzilla/buglist.cgi?query_format=advanced&product=Security&component=Canonicalization&cmdtype=doit 
>  ).

The only place where you actually need canonicalization is when  
hashing the SignedInfo element inside the signature file (i.e., once  
per signature verification).

Given that the signature format is profiled down pretty heavily in the  
widget signing spec, I'd dare a guess that most of the complexity  
isn't ever used, so a careful implementation might be able to write a  
c14n implementation that bails out on anything that doesn't look like  
a signature that follows the constraints in this format.
Received on Tuesday, 14 April 2009 08:57:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC