Hi! On Tue, Jun 30, 2009 at 06:39:15PM -0400, Ant Bryan wrote: > > http://groups.google.com/group/metalink-discussion/web/internetdraft > > this is the final remaining large(?) issue with the current Internet > Draft. does anyone have experience with other types of signatures that > could be included in metalinks?
Not really. Other than PGP signatures, I could think of S/MIME and X.509 being theoretically usable, however I don't think that they could become important in practice, and I have never seen files signed with anything else than PGP signatures. Are there others? > * Section 4.2.14 - Current Metalinks are limited to including PGP > signatures of files listed inside the Metalinks, but not other types > of digital signatures. (This does not concern signing of Metalinks > themselves, that is covered in the Securing Metalink Documents and > Security Considerations: Signing sections). Yup, and the document makes it clear that the two are different and orthogonal (content signing versus metalink signing). > We need to allow other types of file signatures, besides PGP, to > be referenced in Metalinks. In fact, I'm not sure if it is too limiting if we don't allow others. "pgp" doesn't specify much, exists in various versions, and as "container" can mean different things already. It could (and I suppose, will) be enhanced later to implement new algorithms, or new PKI schemes. Therefore, the draft is fine as it is, maybe. It specifies "pgp" as valid and allows further, yet unkown types. Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
pgpIGwva9Sax9.pgp
Description: PGP signature
