[atom-syntax copied because while it seems inappropriate for this discussion it
is the working group's official list of record according to the charter]
Hi. I'm one of the security area directors and I currently have a
blocking discuss comment on the atom protocol document. Lisa has
suggested fixes that address almost all of my concerns. There is one
concern remaining that I would like to discuss with the working group.
Section 15.4 of the document basically says that digital signatures
may break and says little more.
That's problematic . I certainly understand that sometimes a server
might choose to do something that has to break digital signatures like
say translating content from one language into another.
However there are many cases where it is unnecessary for digital
signatures to break. If I post a blog post and the server doesn't
reformat or otherwise change my post, it seems that the signature on
the entry could remain. The spec does not prohibit this, but it seems
that the working group should think more about the issue.
Here are some examples of questions I think should be answered:
1) I'm implementing a server; I don't want to break digital
signatures. What should I be careful of? As an example, what
changes that do not change the meaning of the XML can I make; what
must I avoid? If this can be answered by a reference to a
specific section of another document that would be great.
2) Should I strip a digital signature if I'm going to invalidate it?
3) Should I provide a mechanism for a client to indicate that it would
prefer a post fail than that digital signatures be broken? (This
especially seems potentially useful for encryption)?
4) It's probably desirable to recommend that servers not break digital
signatures unless they are modifying content.
Sam Hartman
Security Area Director
