- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Fri, 27 Feb 2009 08:20:29 -0500
- To: "Hirsch Frederick (Nokia-CIC/Boston)" <Frederick.Hirsch@nokia.com>
- Cc: "marcosc@opera.com" <marcosc@opera.com>, "public-webapps@w3.org WG" <public-webapps@w3.org>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
obviously I meant every non-signature file etc regards, Frederick Frederick Hirsch Nokia On Feb 27, 2009, at 8:18 AM, Hirsch Frederick (Nokia-CIC/Boston) wrote: > Marcos > > Yes, logically there would be two self contained signatures with > references to every file in the package. > > Again Policy indicates which signatures must be verified. What does > the packaging spec currently say? To date it has been one distributor > spec that must be verified. We should be clearer on this - I think > this goes with the changes we make regarding filename sorting and > processing. > > However if both are to be verified, and if the algorithms are the same > (which is currently the case given one hash algorithm in widget > signatures) an implementation could be smart and calculate the > reference hashes once, eliminating that overhead if it were a concern. > > regards, Frederick > > Frederick Hirsch > Nokia > > > > On Feb 27, 2009, at 6:48 AM, ext Marcos Caceres wrote: > >> Hi Frederick, Mark, >> I have a concern wrt the author signature. It seems that both the >> author signature and the distributor signature need to sign every >> file >> in the package. Does this mean that, to verify a package, you would >> need to effectively verify everything in the package twice? or is >> verification of the author signature optional? >> >> Kind regards, >> Marcos >> >> >> -- >> Marcos Caceres >> http://datadriven.com.au >
Received on Friday, 27 February 2009 13:21:47 UTC