Hey!
Thank you Goffi for creating this proposal. Cross-reading it, some
points come to mind:
In the glossary under "signing profile" you write: "a specialisation of
this specification for a specific cryptographic algorithm."
I think instead of "cryptographic algorithm", a more generalized term
such as "cryptographic system" would be more suitable. For example,
OpenPGP as a message format supports all kinds of algorithms.
In "Overview", you write "To sign a pubsub item, the signature and the
signed data are separated.". Its not fully clear to me what that means.
Is this intended to handle the case where an additional signer signs
some already-signed item? Or does it mean that signature and data are
handled separately from another?
Also, perhaps a bit nit-picky, "Overview" and "Signing a Pubsub Item"
begin with the same exact phrase.
From "Wrapper Element (After Normalization)": "If the pubsub item is
encrypted, the signature MUST be done on the plain text version of the
item before the encryption of the item. The signature attachment SHOULD
be encrypted too.".
It is probably a good idea to add an additional sentence explaining that
adding a signature over plaintext outside of the encrypted data may leak
information (such as a hash) about the content of the encrypted data.
Maybe something for Security Considerations?
In "Rationales", you could add the use-case of signing-key rotation. I
could imagine a microblogging application where the user can rotate
their signing key. Attaching new signatures can be used to re-certify
old posts.
The last paragraph of "Business Rules" is very long and confusing.
In "Security Considerations": "Signature is intimely linked...", do you
perhaps mean "intimately"?
Hope you may find some of my feedback useful :)
Paul
Am 08.11.22 um 21:36 schrieb Jonas Schäfer (XSF Editor):
The XMPP Extensions Editor has received a proposal for a new XEP.
Title: Pubsub Signing
Abstract:
Specifies a mechanism to sign pubsub items
URL: https://xmpp.org/extensions/inbox/pubsub-signing.html
The Council will decide in the next two weeks whether to accept this
proposal as an official XEP.
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
