On 14 Apr 2009, at 16:19, Henri Sivonen wrote:
Instead of canonicalizing the manifest XML and using XML signature, you could treat the manifest XML as a binary file and sign it the traditional way leaving a detached binary signature in the format customary for the signing cipher in the zip file. This would address issues #1 and #2.
The manifest isn't the issue, part of the signature itself is. The widget signing proposal already makes minimal use of canonicalization.
