At 10:02 PM -0400 4/26/05, Bob Wyman wrote:
Paul Hoffman wrote:The intermediary can, however, add a signed extension that says "this message was earlier signed by Xyzzy, and we verified that signature before we changed things."Forgive me if I'm missing something obvious... While I understand that such a statement could be generated in theory, it is not obvious to me what the precise syntax for writing such a statement would be given just what is said about signatures in the Atom draft. It seems to me that we would have to either adopt additional syntax from some currently not-referenced spec, or we'd have to define a new extension. What would you propose is the correct way to get interoperable statements such as the ones you suggest in your note?
The latter (an extension). Sorry if I didn't make that clear.
>> One other *significant* limitation in Atom's support for signaturesis that there is no way for an intermediary to add to or otherwise modify an Atom entry without breaking the signature.That's a purposeful design property of digital signatures. The exact same issue has long affected secure mail forwarders using S/MIME or OpenPGP.But, the problem is slightly less painful in S/MIME applications since you can wrap a signed message in an attachment while providing additional data in the envelope. Atom doesn't provide a similar mechanism.
Correct, but the pain is certainly still there for S/MIME and OpenPGP.
--Paul Hoffman, Director --Internet Mail Consortium
