- From: Mikko Rantalainen <mikko.rantalainen@peda.net>
- Date: Mon, 31 Oct 2011 12:53:18 +0200
2011-10-27 14:29 EEST: Henri Sivonen: > On Thu, Oct 20, 2011 at 9:57 PM, Martin Bo?let > <martin.bosslet at googlemail.com> wrote: >> Are there plans in this direction? Would functionality like this have a >> chance to be considered for the standard? > > The chances are extremely slim. > > XML signatures depend on XML canonicalization which is notoriously > difficult to implement correctly and suffers from interop problems > because unmatched sets of bugs in the canonicalization phase make > signature verification fail. I think browser vendors would be > reasonable if they resisted making XML signatures of canonicalization > part of the platform. > > Moreover, most of the Web is HTML, so enthusiasm for XHTML-only > features is likely very low these days. I agree. If a method for signature would be introduced, it should be on HTTP-level instead. For example, the server (or client) could pass an extra header (e.g. Content-Signature) where value would be the signature of the content with some extra info about the key&algorithm used for signature. -- Mikko
Received on Monday, 31 October 2011 03:53:18 UTC