Agile Financial Publishing
Tim Bray: Why Digital Signature? · This idea was first proposed by James Snell, and it’s a good one. Mind you, the benefits are a little bit theoretical, since no feed-reading clients that I’ve seen actually check a digital signature. The argument for this is similar to that for TLS; a bad guy who could somehow insert a fake press release into the feed could make zillions by gaming the share price. A verifiable digital signature would let someone reading the feed know that the news in it really truly did come from Sun.
From busted to valid to best practices, all in a little over ninety days. Kudos.
One can find code for creating and verifying digital signatures using Abdera on DeveloperWorks. There also is an xmlsec1 command.
Once there is an actual feed deployed using digital signatures, I will enhance the feed validator to both verify the signature and to update the UI to indicate that the feed contains valid signatures. I will also update both the Universal Feed Parser and Venus to deal with same, after all what use is it to sign a syndicated feed if the signature doesn’t survive syndication?
Signing XML documents a "Revelation"?
Agile Financial Publishing Atomic Financial Publishing Why is this such a big deal? And why has it taken the REST crowd so long to discover? Guess they do have some stuff to learn from us . We’ve been doing this for years....Excerpt from Many Hats at
Encrypted/Signed Atom feeds? Froody!
I will also update both the Universal Feed Parser and Venus to deal with same, after all what use is it to sign a syndicated feed if the signature doesn’t survive syndication?
How does one sanitize a signed and/or encrypted feed?
Posted by Jacques Distler atJacques: One doesn’t. Sanitizing the feed/entry will obviously break signatures and require decryption. However, that does not mean that the tooling cannot provide metadata about any signatures or encryption that were applied before the sanitation.
Posted by James Snell at
How does one sanitize a signed and/or encrypted feed?
Paul Hoffman proposes:
<link rel="signed-original">
(No that doesn’t handle encryption. One problem at a time)
Posted by Sam Ruby atI don’t see the difference between his proposal and
<atom:entry>
...
<atom:source>
...
<atom:link rel="self" href="..."/>
</atom:source>
</atom:entry>
My thought was that, in addition to the above, one does something along the lines of:
1. verify the signature
2. do whatever sanitizing, etc, you want
3. sign the result
The client can always go back to the source. But if he trusts the mashup generator, that signature may be assurance enough.
Posted by Jacques Distler at
[from kellan] Sam Ruby: Agile Financial Publishing
feeds + digital signatures...Excerpt from del.icio.us/network/kael at