Re: [widgets] Jar signing vs. XML signatures

On Apr 16, 2009, at 10:51 , Henri Sivonen wrote:
> On Apr 15, 2009, at 22:16, Frederick Hirsch wrote:
>> We are not using the transform chain where complexity and  
>> performance issues occur,
>
> The complexity concern I raised is that the last signing step needs  
> to run canonicalization and reserialization in order to get a byte  
> stream to sign when it would be simpler to use a detached signature  
> that signs the original uncanonicalized bytes. Running  
> canonicalization first requires more code.
>
> If I've understood correctly, the idea is that widget support can be  
> added to an existing Web browser engine with smallish effort. It  
> seems to me that there is no pre-existing reason for a Web browser  
> engine to contain an implementation of canonicalization or XML  
> signatures.

Trying to separate the discussion from the change request: would you  
be satisfied if requirements to perform C14N were removed and reliance  
on XSD data types for definition purposes were replaced with something  
less scary (though in this case this is a bit of a FUD argument Henri,  
the referenced types aren't overwhelming)?

-- 
Robin Berjon - http://berjon.com/
     Feel like hiring me? Go to http://robineko.com/

Received on Friday, 17 April 2009 10:25:46 UTC