Paul Hoffman wrote:
> The intermediary can, however, add a signed extension that
> says "this message was earlier signed by Xyzzy, and we verified that
> signature before we changed things."
Forgive me if I'm missing something obvious... While I understand
that such a statement could be generated in theory, it is not obvious to me
what the precise syntax for writing such a statement would be given just
what is said about signatures in the Atom draft. It seems to me that we
would have to either adopt additional syntax from some currently
not-referenced spec, or we'd have to define a new extension. What would you
propose is the correct way to get interoperable statements such as the ones
you suggest in your note?
>> One other *significant* limitation in Atom's support for signatures
>> is that there is no way for an intermediary to add to or otherwise modify
>> an Atom entry without breaking the signature.
> That's a purposeful design property of digital signatures. The exact
> same issue has long affected secure mail forwarders using S/MIME or
> OpenPGP.
But, the problem is slightly less painful in S/MIME applications
since you can wrap a signed message in an attachment while providing
additional data in the envelope. Atom doesn't provide a similar mechanism.
bob wyman
