- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Fri, 27 Feb 2009 08:18:41 -0500
- To: "marcosc@opera.com" <marcosc@opera.com>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "public-webapps@w3.org WG" <public-webapps@w3.org>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Marcos Yes, logically there would be two self contained signatures with references to every file in the package. Again Policy indicates which signatures must be verified. What does the packaging spec currently say? To date it has been one distributor spec that must be verified. We should be clearer on this - I think this goes with the changes we make regarding filename sorting and processing. However if both are to be verified, and if the algorithms are the same (which is currently the case given one hash algorithm in widget signatures) an implementation could be smart and calculate the reference hashes once, eliminating that overhead if it were a concern. regards, Frederick Frederick Hirsch Nokia On Feb 27, 2009, at 6:48 AM, ext Marcos Caceres wrote: > Hi Frederick, Mark, > I have a concern wrt the author signature. It seems that both the > author signature and the distributor signature need to sign every file > in the package. Does this mean that, to verify a package, you would > need to effectively verify everything in the package twice? or is > verification of the author signature optional? > > Kind regards, > Marcos > > > -- > Marcos Caceres > http://datadriven.com.au
Received on Friday, 27 February 2009 13:19:50 UTC