[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] xml dsig profile
On Thu, Mar 12, 2009 at 7:26 AM, George Fletcher <george.fletcher@corp.aol.com> wrote: > 1. Could a proxy unintentionally change the "canoncialize-raw-octets" > stream? It shouldn't though I know that some proxies do gzip encoding on the > fly. Again, I don't think it will be a problem but wanted to make sure. gzip transfer-encodings would be fine, the client will end up with the same content the server sent. Some "application level firewalls" do mess with content. If someone sets up an application level firewall that munges the XML or the document, that will break the signature. Tough nookies. HTTP clients and servers are tolerably good at sending raw octets over the wire and having them pop out the other side. We probably will flush out some bugs in proxies/servers/clients that munge content (adding new lines at the end of content, for example). Those are bugs. Transparent HTTP proxies aren't supposed to do that. > 2. Should the verification process specifically define rules (or reference > rules) that require the signing certificate to be "authoritative" for the > XRD? The reason this came to mind is that a proxy could completely swap out > the XRD and it's Signature header. The signature would verify, but would be > signed by an entity not authoritative for the XRD. One challenge at a time. =) Individual applications that use signed XRDs clearly need to define those rules. I suspect different applications are going to have different trust schemes.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]