Lisa Dusseault wrote:
On Jun 18, 2007, at 9:16 AM, Bjoern Hoehrmann wrote:
This should be "Servers should remove invalidated signatures". However,
this may give the false impression that support for signatures is re-
quired, and does not address what to do if the server does not know if
a signature has been invalidated.
If there's any doubt about whether support for signatures is required --
James says yes, and Bjoern says no -- we need to be clearer in the
publishing protocol document.
Otherwise, a server implementor could decide that "since I don't sign
entries I don't need any code to handle signatures".
I was just going to note that *if* we make it mandatory to do something
wrt signatures, we need to reference xml-dsig & friends as normatively.
Turns out, we already do. Is this really intended & correct?
Best regards, Julian
