On Apr 14, 2009, at 14:38, Marcos Caceres wrote:
I think it would be more productive to help us address the issues
that you mentioned, instead of asking us to dump everything and
start again.
So the issues were:
1) The complexity of canonicalization/reserialization of XML.
2) Spec dependency on XSD.
3) Inability to use existing jar signing tools.
If you are already profiling XML signature a lot and are already using
a detached signature file, it seems to me that you are one step away
from optimizing away canonicalization:
Instead of canonicalizing the manifest XML and using XML signature,
you could treat the manifest XML as a binary file and sign it the
traditional way leaving a detached binary signature in the format
customary for the signing cipher in the zip file. This would address
issues #1 and #2.
But then if you are signing the XML manifest file the traditional way,
you are a step away from using jar-compatible manifests. :-) This
would address issue #3.
--
Henri Sivonen
[email protected]
http://hsivonen.iki.fi/
