I'm taking a time out from this thread for a bit. Please take it as a given that using existing formats is preferable to rolling your own, and concentrate on clearly writing up the security details (what should be signed, by whom, how delegation might work) and trying to find a set of minimal changes to existing mechanisms to support these, instead of insisting that you must throw everything out and start from scratch. There is a large benefit to reusing existing formats and making gradual changes, and this benefit far outweighs the sort of minor quibbles you have been presenting.
In particular, the http://wiki.laptop.org/go/Activity_bundles spec already has manifest and signature components specified, and IMO separate standalone "translation packs" of the form saymindu has been working on are a much better solution to the "independent translation" problem than your elaborate system of signed and unsigned files. Further, IMO group maintenance of an activity is best solved by simply creating a keypair shared by all maintainers of the activity. Yes, this isn't as intellectually stimulating as an elaborate web of trust of delegated signatures, but it is 95% as functional for much less conceptual and implementation cost. More elaborate group mechanisms can be built on this simple base; we don't need to jump immediately to an all-singing all-dancing solution. Please show me that you can make small incremental improvements to the existing codebase which we can discuss and evaluate independently. The existing activity bundle spec has a very simple manifest and signature mechanism specified. Let's start by implementing that in bundle-builder, and checking it in rainbow. Then we can discuss more elaborate mechanisms. I look forward to seeing your code for this. Please post it in standard unified diff form to the security mailing list, with '[PATCH]' in the subject line. Include me in the cc to ensure I see it. --scott -- ( http://cscott.net/ ) _______________________________________________ Security mailing list [email protected] http://lists.laptop.org/listinfo/security
