[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Atom protocol and digital signatures

To: "A. Pagaltzis" <pagaltzis@xxxxxx>, atom-syntax@xxxxxxx, atom-protocol@xxxxxxx
Subject: Re: Atom protocol and digital signatures
From: Paul Hoffman <phoffman@xxxxxxx>
Date: Tue, 19 Jun 2007 17:40:09 -0700
In-reply-to: <>
List-archive: <http://www.imc.org/atom-protocol/mail-archive/>
List-id: <atom-protocol.imc.org>
List-unsubscribe: <mailto:atom-protocol-request@imc.org?body=unsubscribe>
References: <tslr6oa9yls.fsf@xxxxxxx> <> <>
Sender: owner-atom-protocol@xxxxxxxxxxxx


At 1:43 AM +0200 6/20/07, A. Pagaltzis wrote:

* Paul Hoffman <phoffman@xxxxxxx> [2007-06-19 21:40]:

 The method for a server to indicate to a third party whether or
 not the client signed an Entry Document is by including the
 client's signature in the published entry, even though that
 signature is likely to be invalid.


I strongly disagree with this. As a consumer, I have no possible
way to know whether an invalid signature is there because

* the publishing client included it
* the server made up a signature to feign signing by the client
* a third party tampered with the entry between the server and me

Therefore as a consumer I would never ever assume that an invalid
signature meant anything else than that the signature on this
entry is not valid.


Fully agree so far.

Encouraging servers

Stop right there. Nothing in the quoted text *encourages* anyone. Wesaid that there was a method, which is completely true. We also saidthat this is "the" method, which is also completely true (we didn'tcreate another method). That is a far cry from encouragement.

If the server is not, though, then it really should strip the
signature if it knows it has invalidated it. Note that my
proposed text said "strongly encouraged", not "SHOULD". After
all, it is not an interop concern, nor do I desire to dictate
server behaviour.

The WG has gone out of its way to put as few restrictions on serversas possible, and to minimize the number of "encouragements" (muchless strong encouragements). I took that earlier direction to heartin the above paragraph.

If the WG wants to make a strong encouragement here, that's fine, butwe do so against our earlier trend.

However, I do think this particular implementation choice
makes a lot of sense and should be the default choice for
server implementors who don't have specific reason to do
things otherwise. And I think the spec should nudge them in
that direction.

Given that this is the Security Considerations section, we shouldhave a security reason for the nudge. I don't think we have one.There is no security problem with publishing a known-bad signature.

Follow-Ups:
- Re: Atom protocol and digital signatures
  - From: A. Pagaltzis

References:
- Atom protocol and digital signatures
  - From: Sam Hartman
- Re: Atom protocol and digital signatures
  - From: Paul Hoffman
- Re: Atom protocol and digital signatures
  - From: A. Pagaltzis

Prev by Date: Re: Atom protocol and digital signatures
Next by Date: Re: Atom protocol and digital signatures
Previous by thread: Re: Atom protocol and digital signatures
Next by thread: Re: Atom protocol and digital signatures
Index(es):
- Date
- Thread