Lisa Dusseault a écrit :
I did some thinking about this since it came up in IESG evaluation and
concluded that for the moment, there's no way for the client to
reliably and interoperably publish client-signed entries. We should
start by stating that in atompub (because I am guessing we're going to
standardize a mechanism right now).
If there is a requirement that clients understand signed entries, then
we can interoperably have the *server* sign entries and that may be
slightly useful. Not only is it slightly useful if the server signs
with its own key, it also allows for some non-standard backchannel
between publishing clients and servers, in which clients sign with
their own keys. Although the signing mechanism would be non-standard
in that case, all existing clients would be required to understand
signatures so this optional authoring feature would not break
general publishing interoperability.
That'd be easier for sure but how to deal with potential server to
server exchange?
- Sylvain
