- From: Marcos Caceres <marcosc@opera.com>
- Date: Fri, 27 Feb 2009 15:33:39 +0100
- To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Cc: "public-webapps@w3.org WG" <public-webapps@w3.org>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Hi Frederick, On Fri, Feb 27, 2009 at 2:18 PM, Frederick Hirsch <Frederick.Hirsch@nokia.com> wrote: > Marcos > > Yes, logically there would be two self contained signatures with references > to every file in the package. > > Again Policy indicates which signatures must be verified. What does the > packaging spec currently say? It says, "see Widgets Digsig Spec" :) > To date it has been one distributor spec that > must be verified. We should be clearer on this - I think this goes with the > changes we make regarding filename sorting and processing. The P&C just hands the list of signatures to the Dig Sig spec. > However if both are to be verified, and if the algorithms are the same > (which is currently the case given one hash algorithm in widget signatures) > an implementation could be smart and calculate the reference hashes once, > eliminating that overhead if it were a concern. Right, but using the same algorithms is not guaranteed. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
Received on Friday, 27 February 2009 14:34:21 UTC