I am interested in this as well. My particular application includes a hash on the link (either MD5 or SHA1) and then signs the entry. Signing the entry prevents the content or hash from being modified
Brett Lindsley Motorola Labs Applied Research Technology Center -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niklas Lindström Sent: Friday, July 11, 2008 10:52 AM To: James M Snell Cc: [email protected] Subject: Re: Checksums and Link Extensions Sounds great! I for one am very interested, and at least Peter Keane as well it seems. :) It would be of great use for more secure transports where e.g. signing isn't viable. In my specific case our task is to collect document exports via Atom from over a hundred government agencies. All of whom probably won't have the capacity (at least initially) to sign their documents, but can reasonably provide an MD5 (and do the transport over HTTPS). Currently we believe the "more than nothing" of MD5 is enough to verify successful download. By relying on a Link Extensions spec, we hope the software we produce (intended to be opensourced eventually) will be more interoperable. (And of course we'd save ourselves the trouble of writing down how to supply the md5:s.) Of course, I'd still like to hear objections to this view (e.g. "md5 and https won't be enough, you really need signing for anything remotely secure"). Best regards, Niklas On Fri, Jul 11, 2008 at 4:50 PM, James M Snell <[EMAIL PROTECTED]> wrote: > The draft was abandoned because of lack of community interest. I would have > no problem resurrecting it if there is interest. > > - James > > Niklas Lindström wrote: >> >> Hi! >> >> I need to supply checksums in Atom entries for resources linked via >> content/@src or link/@href. I currently use the Link Extensions [1] >> attribute le:md5, which fits my need precisely. >> >> But is this I-D abandoned? Is it of interest to anyone else today, or >> should I go another route for this? If nothing comparable for >> signatures exists, how much work would it be to revitalise it (and >> perhaps add e.g. an le:sha1 for completeness)? >> >> (While it's also possible to send the Content-MD5 HTTP header for the >> actual resource, I would strongly prefer to have the checksums present >> in the entry itself. And since Atom entries work so well as "resource >> manifests", the extensions defined by this I-D look very natural to >> me.) >> >> I also wonder about the applicability of XML Digital Signatures [2] >> for this. I (primarily) need checksums for out-of-line references, and >> I haven't seen examples of using signatures (the Reference element >> with DigestMethod + DigestValue) in Atom for this specific case (that >> is, not signing the entry, only (some of) it's references). It also >> feels like an awful lot of XML for this quite simple use case. :) >> >> Does anyone have any advice for this practice? >> >> Best regards, >> Niklas Lindström >> >> [1] = <http://tools.ietf.org/html/draft-snell-atompub-link-extensions-02> >> [2] = <http://www.w3.org/TR/xmldsig-core/> >> >> >
