- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 14 Apr 2009 17:19:05 +0300
- To: marcosc@opera.com
- Cc: Thomas Roessler <tlr@w3.org>, public-webapps <public-webapps@w3.org>
On Apr 14, 2009, at 14:38, Marcos Caceres wrote: > I think it would be more productive to help us address the issues > that you mentioned, instead of asking us to dump everything and > start again. So the issues were: 1) The complexity of canonicalization/reserialization of XML. 2) Spec dependency on XSD. 3) Inability to use existing jar signing tools. If you are already profiling XML signature a lot and are already using a detached signature file, it seems to me that you are one step away from optimizing away canonicalization: Instead of canonicalizing the manifest XML and using XML signature, you could treat the manifest XML as a binary file and sign it the traditional way leaving a detached binary signature in the format customary for the signing cipher in the zip file. This would address issues #1 and #2. But then if you are signing the XML manifest file the traditional way, you are a step away from using jar-compatible manifests. :-) This would address issue #3. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 14 April 2009 14:19:49 UTC