On Saturday, January 8, 2005, at 09:41 PM, Bob Wyman wrote:
...As Robert Sayre recently wrote:
>DSig and XMLEnc are in core.
>http://atompub.org/2004/10/20/draft-ietf-atompub-format- 03.html#rfc.section.7
However, the text says:
“The document element of an Atom document (i.e., atom:feed in an Atom Feed Document, atom:entry in an Atom Entry Document) MAY have an Enveloped Signature” … “Other elements in an Atom document MUST NOT be signed unless their definitions explicitly specify such a capability.”
I can’t remember if this has been discussed before. I’m tempted to write a Pace which would specify that any atom:entry can be signed – whether it is found in an Atom Feed Document or an Atom Entry Document. Before doing so, I would appreciate if someone could explain if the constraint in the current specification is intentional. Why would a signature not be permitted on an atom:entry found in an Atom Feed Document?Might this constraint have grown out of http://www.imc.org/atom-syntax/mail-archive/msg09550.html - which I don't read as meaning what's in the current draft? Perhaps the original intent was to impose the following constraints, and the restriction on other elements being signed slipped in inadvertantly:
* Document elements may only be signed using DSig.
* Document elements may only use enveloped signatures (as opposed to enveloping, sibling...).
and perhaps:
* If other elements are signed, they must use enveloped signatures, unless their definitions explicitly specify a capability to use enveloping, etc., signatures.
Thinking about it, I haven't been able to come up with a reason to forbid the signing of other elements, and I don't recall discussion of such a restriction either.
