On 11/04/2009 9:47 AM, Chris Anderson wrote:
On Tue, Mar 10, 2009 at 3:27 PM, Chris Anderson<[email protected]> wrote:
On Tue, Mar 10, 2009 at 9:01 AM, Brian Candler<[email protected]> wrote:
Inventing new cryptosystems is dangerous. Why not an OpenPGP armored
detached signature?
Does this hand-waving version of a signed document look like it could work?
{
"_id" : "89a7stdg235",
"_rev" : "1-26476513",
"signed-content" : {
"message" : "I said this and I meant it.",
"date" : "2009/04/09 15:54:08",
"author" : {
"name" : "J. Chris Anderson",
"url" : "http://jchrisa.net";,
"photo" : "http://jchrisa.net/profile.jpg";
}
},
"signature" : {
"content-hash" : "s7d23fiu7g34awb47e32rso7d54fn3sdf==",
"content-serializer" : {
"code" : "http://jchrisa.net/repeatable-json-0.2.2.js";,
"decimal-precision" : 4
},
"public-key" :
"5s2457d357f47io46u135h35as5df135oi235ugs4a35df57ou7y5g1s5d5f58ou1s3d4f==",
"signed-hash" : "h235h345h3147j23j35g1235344j3246h46jg3245j==",
},
"foo" : ["this content is not signed", "it's just here"]
}
Would it be possible to just list the field names rather than forcing
another object into the mix? Eg, let's say I've an existing couch DB
I'd like to add signature support to - IIUC, the scheme above would
force both the database and the 'application' to be converted to use the
new enforced 'signed-content' container.
To be concrete, I'm suggesting something like:
{
"_id" : "89a7stdg235",
"_rev" : "1-26476513",
"signed-fields: [ "message", "date", "author"]
"message" : "I said this and I meant it.",
"date" : "2009/04/09 15:54:08",
"author" : {
"name" : "J. Chris Anderson",
"url" : "http://jchrisa.net";,
"photo" : "http://jchrisa.net/profile.jpg";
}
"foo" : "not signed but still a normal field",
"signature" : etc as described...
}
Cheers,
Mark
![http://jchrisa.net/profile.jpg"](http://jchrisa.net/profile.jpg"){kind=link}