- From: Marcos Caceres <marcosc@opera.com>
- Date: Wed, 15 Apr 2009 14:00:31 +0200
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: Thomas Roessler <tlr@w3.org>, public-webapps <public-webapps@w3.org>
Hi Henri, On Tue, Apr 14, 2009 at 4:19 PM, Henri Sivonen <hsivonen@iki.fi> wrote: > On Apr 14, 2009, at 14:38, Marcos Caceres wrote: > >> I think it would be more productive to help us address the issues that you >> mentioned, instead of asking us to dump everything and start again. > > > So the issues were: > 1) The complexity of canonicalization/reserialization of XML. I think this is an issue that needs to be taken up with XML Security WG or whoever is working on the canonicalization spec. > 2) Spec dependency on XSD. We can probably address this and use prose as you suggested. So you recommend we follow HTML5 here, right? Given that you understand the problem, can you maybe propose some text? > 3) Inability to use existing jar signing tools. I'm not sure there is much we can do about that. Having to support two formats seems like a pain. > If you are already profiling XML signature a lot and are already using a > detached signature file, it seems to me that you are one step away from > optimizing away canonicalization: Right. > Instead of canonicalizing the manifest XML and using XML signature, you > could treat the manifest XML as a binary file and sign it the traditional > way leaving a detached binary signature in the format customary for the > signing cipher in the zip file. This would address issues #1 and #2. That is our intention. > But then if you are signing the XML manifest file the traditional way, you > are a step away from using jar-compatible manifests. :-) This would address > issue #3. hmmm. I don't think we will be doing that. -- Marcos Caceres http://datadriven.com.au
Received on Wednesday, 15 April 2009 12:01:39 UTC