On Jul 5, 2005, at 9:27 AM, James M Snell wrote:
Huh?! Pardon my ignorance, could you please provide an
explanation for the simple-minded as to how the absence of a
source element in a signed entry will lead to signatures being
discarded? Also, it would be helpful to sketch in some of the
surrounding scenario... -Tim
Bob can clarify exactly what he means but from my perspective it
comes down to an aggregation problem. If a signature is generated
over an entry that does not contain an author element or a source
element, that entry cannot be re-enveloped into an aggregate feed
that does not contain a top level author element without breaking
the signature
Well, yes. Anyone who understands digsig, even someone such as
myself with only a surface knowledge, can see this. You can't change
a signed object without breaking the sig, that's the point. If I
want to sign an entry and also want to make it available for
aggregation then yes, I'd better put in an atom:source. But this is
inherent in the basic definition of digsig; not something we need to
call out. -Tim
