couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim McCoy <>
Subject Re: Proposal for digital signatures of documents
Date Mon, 09 Mar 2009 20:16:15 GMT
Setting aside the JSON canonicalization issue, I think that locking in
a signature algorithm (esp. one that already is showing weakness such
as SHA-1) is a mistake.  The digest key should go to an object that
has the algorithm and data properties.

Instead of this:

"digest": "pFCzUK7yuO0dWtm0oATB7ag6vj0="

use this:

"digest": {"algorithm": "SHA1", "data": "pFCzUK7yuO0dWtm0oATB7ag6vj0="}

It may be the case that SHA1 is the default for the near future, but
this choice will probably not be the default by the time Couch hits

Now that I think about it a bit more, perhaps the digest should be a
nested object with being the algorithm identifier and data being the
hash value for that particular algorithm.  This also means that the
"signed" object would need to be a similarly nested object with
algorithm/hash-signature pairs, but it does give more flexibility and
a small bit of future-compatibility.


View raw message