Have you considered what the requirements would be for external
resources, e.g., scripts sourced through a script tag?
--
Thomas Roessler, W3C <[EMAIL PROTECTED]>
On 4 Dec 2008, at 15:36, Arve Bersvendsen wrote:
Opera's current position is that we do not wish to allow partial
signing, as
a) Unsigned components in a signed package can always in some way be
treated as executable code, and thus it undermines any security
model, or forces vendors to implement a much more complex tainting
model for the content.
b) As for having different signatures for different components:
While this is slightly less problematic, it should not fall in under
use cases solved for any v1.0 specification, as it also complicates
any security model too much at this stage.
--
Arve Bersvendsen
Developer, Opera Software ASA, http://www.opera.com/
