OK, so given the arguments I previously posted in my response to Dan +
the assertion that digitally signing individual entries will be
necessary, the only real possible solution would be to come up with a
canonicalization scheme for digitally signed Atom entries. When applied
to an entry, the scheme would transform the entry into what is
effectively a standalone Atom Entry Document with a source and author
elements included and all necessary namespace declarations.
For example, given the following:
<feed xmlns:xhtml="..." xmlns="...">
<author>...</author>
<entry>
<id>...</id>
</entry>
</feed>
The canonicalized version of the entry would look something like:
<entry xmlns="..." xmlns:xhtml="...">
<id>...</id>
<source>
<author>...</author>
</source>
</entry>
The digital signature would then be calculated over the canonicalized
entry.
What else would the canonicalization scheme have to do?
- James
Bob Wyman wrote:
James M Snell wrote:
Question: should we only allow signing of the entire document or are
there valid use cases for allowing each individual entry in the feed
to be individually signed?
We definitely need to be able to sign each entry. This is necessary
so that we can passed signed content in aggregated feeds. The mere act
of aggregation should not force a signature to be removed from an
item. (Note: Signed entries really *must* include source elements.
Otherwise, aggregators will be forced to strip off the signatures in
order to insert the source elements.)
bob wyman