| daniel added a comment. |
In T138708#2424766, @JanZerebecki wrote:Why use a sha1 instead of inlining the normalized serialization in the text to sign?
Because that doubles the size of the serialization of a statement.
Why add the current date and time?
For completeness. It's nice to know when something was signed, I think.
Why add the signer's identity?
It should be visible *somewhere*, right?
How do you revoke a signature?
By removing the snak that contains the signature. Or by revoking the key.
How do you guard against being able to send the user only a selective part of the signatures?
Can you elaborate?
How do you verify what a revision contains and that the revision wasn't changed?
By signing parts of that revision. I don't currently have a solution for labels and descriptions, except copying them into the signed text.
Cc: jayvdb, Scott_WUaS, tfmorris, Spinster, TomT0m, Denny, Eloquence, JanZerebecki, T.seppelt, Aklapper, daniel, Zppix, Lydia_Pintscher, D3r1ck01, Izno, Wikidata-bugs, aude, TheDJ, Mbch331
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
