On Mar 8, 2009, at 10:14 AM, Chris Anderson wrote:
I think you'll want to add to the signature field, a list of the signed fields. This way _rev can change freely, and intermediate users can add new fields, without breaking the signature.
That would be one way to do it. Another is to apply the signature not to the top-level document itself but to an object nested inside it. The nice thing about this signature schema is that it has a very flexible topology, so you can sign pieces of objects, have multiple signed pieces in an object, etc.
There are reliable JS md5 and sha1 libs. Will that get you there?
No, unfortunately. Verifying a signature requires re-running the public-key algorithm over the message digest. So this would require an implementation of RSA or the equivalent.
(RSA is ubiquitous but getting old; apparently elliptic-key systems are gaining favor because they provide more security per bit of key length. I don't know whether they're any less compute-intensive than RSA. I'll do some research and try to find JS impls of any of these.)
—Jens
