Re: [xri] xml dsig profile

[Brian Eaton <beaton@google.com>]

On Thu, Mar 12, 2009 at 7:26 AM, George Fletcher
<george.fletcher@corp.aol.com> wrote:
> 1. Could a proxy unintentionally change the "canoncialize-raw-octets"
> stream? It shouldn't though I know that some proxies do gzip encoding on the
> fly. Again, I don't think it will be a problem but wanted to make sure.

gzip transfer-encodings would be fine, the client will end up with the
same content the server sent.

Some "application level firewalls" do mess with content.  If someone
sets up an application level firewall that munges the XML or the
document, that will break the signature.  Tough nookies.

HTTP clients and servers are tolerably good at sending raw octets over
the wire and having them pop out the other side.

We probably will flush out some bugs in proxies/servers/clients that
munge content (adding new lines at the end of content, for example).
Those are bugs.  Transparent HTTP proxies aren't supposed to do that.

> 2. Should the verification process specifically define rules (or reference
> rules) that require the signing certificate to be "authoritative" for the
> XRD? The reason this came to mind is that a proxy could completely swap out
> the XRD and it's Signature header. The signature would verify, but would be
> signed by an entity not authoritative for the XRD.

One challenge at a time. =)

Individual applications that use signed XRDs clearly need to define
those rules.  I suspect different applications are going to have
different trust schemes.