Re: Atom protocol and digital signatures

[John Kemp <john.kemp@xxxxxxx>]

Hi,

Paul Hoffman wrote:

> Fully agree. And I can see how even talking about leaving invalid
> signatures in can be considered an encouragement, even if it is a light
> encouragement.
> 
> Given this, I propose changing the paragraph to:
> 
> A server is allowed to strip client-applied signatures, to strip
> client-applied signatures and then re-sign with its own public key, and
> to oversign an entry with its own public key. The meaning to a third
> party of a signature applied by a server is the same as a signature from
> anyone, as described in [RFC4287]. It is recommended that a server that
> is aware that it has changed any part of an Entry Document that was
> signed by the client should strip that signature before publishing the
> entry in order to prevent third parties from trying to interpret a
> signature that cannot be validated.
> 

What does it mean to "strip" a signature?

Might it be worth noting that in such cases, the server is recommended
to "remove the child element of the Entry Document with the namespace
URI http://www.w3.org/2000/09/xmldsig# and a local name of Signature"
(as specified for signature addition in RFC4287)?

Regards,

- John Kemp