I believe it would be very useful to specify that signed entries should
include a source element. This can/should be considered part of entry
canonicalization.
The reason I suggest this is that signed entries are only really useful
when extracted from their original source feeds. If entries are only read
from their source feeds, then it is probably best for publishers to sign the
feed, not the individual entries. (Note: It is my hope that feed publishers
will anticipate that their entries will be extracted from the source feeds
and will thus sign the individual entries rather than the feeds... i.e.
Publishers should anticipate that intermediaries like PubSub and various
other search/discovery services will aggregate their entries and republish
them in non-source feeds.)
When an entry is removed from its source, it SHOULD have a source
element inserted if one is not already present. However, if a republisher
inserts a source element into a signed entry that would break the signature.
Thus, it seems reasonable that we should strongly encourage those who sign
entries to anticipate the needs of subsequent processors by inserting the
source elements in the original signed entries. By inserting the source
elements, the requirement for others to break the signature will be
drastically reduced. If an entry is signed, yet contains no source element,
much of the utility of the signature (allowing verification of the original
publisher) is eliminated.
bob wyman
- Re: Roll-up of proposed changes to atompub-format section... Bob Wyman
-