W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Jar signing vs. XML signatures

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 14 Apr 2009 17:19:05 +0300
Cc: Thomas Roessler <tlr@w3.org>, public-webapps <public-webapps@w3.org>
Message-Id: <F176998F-DDB4-487A-AC13-6A241F15D3C5@iki.fi>
To: marcosc@opera.com
On Apr 14, 2009, at 14:38, Marcos Caceres wrote:

> I think it would be more productive to help us address the issues  
> that you mentioned, instead of asking us to dump everything and  
> start again.

So the issues were:
  1) The complexity of canonicalization/reserialization of XML.
  2) Spec dependency on XSD.
  3) Inability to use existing jar signing tools.

If you are already profiling XML signature a lot and are already using  
a detached signature file, it seems to me that you are one step away  
from optimizing away canonicalization:

Instead of canonicalizing the manifest XML and using XML signature,  
you could treat the manifest XML as a binary file and sign it the  
traditional way leaving a detached binary signature in the format  
customary for the signing cipher in the zip file. This would address  
issues #1 and #2.

But then if you are signing the XML manifest file the traditional way,  
you are a step away from using jar-compatible manifests. :-) This  
would address issue #3.

Henri Sivonen
Received on Tuesday, 14 April 2009 14:19:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC