Even better (much better) would be to create an extension that includes the original, signed material, including the signature. This allows the server to publish its modified version while still allowing users (those who care, anyway) to determine which parts of the entry were actually signed by the client.
Don Park writes: > Just a few passing comments/suggestions: > 1. I think requiring signature-breaking servers to detect and remove > invalidated signatures creates unnecessary chores as well as being a > potential source of confusion in context of the must-ignore rule. > 2. I think it might make more sense to create an extension designed > to enhanced digital-signature support. Such an extension would > include a 'marker' element to indicate that signatures within, if > any, are likely damaged. A feed processing agent downstream can then > use the marker to avoid alarming the user unnecessarily. > On Jun 19, 2007, at 5:35 PM, Tim Bray wrote: > > On Jun 19, 2007, at 4:43 PM, A. Pagaltzis wrote: > > > >>> The method for a server to indicate to a third party whether or > >>> not the client signed an Entry Document is by including the > >>> client's signature in the published entry, even though that > >>> signature is likely to be invalid. > >> > >> I strongly disagree with this. As a consumer, I have no possible > >> way to know whether an invalid signature is there because > > > > I have to agree with Aristotle on this one. I think we should > > simply drop that last sentence. -Tim
