>From the minutes:
- Sean: verification by each serialization form or one canonical serialization format? - Sebastian: Each individual format has one way of doing things, but pass through canonicalization to a version (ie. binary serialization) that a hash can be calculated against. - Willilam: has historically been at the logical document level, and transport level it is hashed. Need to specify the type of verification: *Data Origin Authentication and Integrity* (signature) verify a data producer's identity and that the data is what was produced. *Referential Integrity* (hash) asserts nothing about the data producer, just that if data was read by consumer A then it has not changed when read by consumer B. Consumer A creates a reference that includes a hash of the referenced data. Consumer A may be, but is not required to be, the producer of the referenced data. Both hashes and signatures can be computed directly on the original physical data or on logical data by deserializing and reserializing into a designated physical format as Sebastian says. "Be strict in what you generate" is helpful, but even then most implementations are not validated with a ton of bad example data designed to uncover ambiguities and errors. Designing an information model is essential to enable cross-format (logical level) canonicalization. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4305): https://lists.spdx.org/g/Spdx-tech/message/4305 Mute This Topic: https://lists.spdx.org/mt/88364376/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
