Re: [widgets] Jar signing vs. XML signatures

On Tue, Apr 14, 2009 at 2:56 PM, Marcos Caceres <marcosc@opera.com> wrote:
>
>
> On 4/14/09 2:51 PM, timeless wrote:
>>
>> Marcos Caceres<marcosc@opera.com>  wrote:
>>>
>>> Although I agree that it was probably a short-sightedness mistake on
>>> our part to not have looked at JAR signing at the start of this
>>> process, I think it is too late for you to ask us to dump over a year
>>> worth of work on this spec - especially as we are about to go to Last
>>> Call and have significant industry support (BONDI) for using XML
>>> Signatures.
>>
>>> Although I also agree that there are issues with
>>> canonicalization, I find it hard to believe that JAR signatures are
>>> not without their own problems. I think it would be more productive to
>>> help us address the issues that you mentioned, instead of asking us to
>>> dump everything and start again.
>>
>> I'm willing to drop XML signing :)
>>
>> I guess I never really understood enough about why we went off on XML
>> signing and didn't think to ask why we didn't look at JAR signing :(
>
> I guess it was "it was not done here (w3c)" syndrome.

Having said that, XML Sig meets our Requirements [1].

Kind regards,
Marcos

[1] http://dev.w3.org/2006/waf/widgets-reqs/#security-and-digital-signatures
-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 14 April 2009 13:20:19 UTC