On Jun 19, 2007, at 12:42 PM, James M Snell wrote:
Because servers are allowed (and in some cases required) to modify
the
contents of an Entry Document before publishing it, a client that
signs
a Entry Document should only do so with the intention of the server
possibly validating the submission; the client cannot assume that the
signature will be valid when viewed by a third party, or that the
server
will even publish the client's signature.
This gets too close to dictating implementation behavior. There
may be
many reasons for having a client sign an entry that goes beyond
validating the submission.
Huh? Why would you go to the (nontrivial) trouble of doing a
signature if you didn't want someone to check it? And who other than
the server could? The phrase "client" here clearly means "software
behavior in the context of the Atom Protocol", and if you're signing
it in the context of the Atom Protocol, the signature couldn't
possibly be useful, in the context of the protocol, to any party
other than the server you're sending it to. -Tim
