Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 11640 invoked from network); 14 Apr 2009 10:16:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 14 Apr 2009 10:16:36 -0000 Received: (qmail 99213 invoked by uid 500); 14 Apr 2009 10:16:35 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 99119 invoked by uid 500); 14 Apr 2009 10:16:35 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 99108 invoked by uid 99); 14 Apr 2009 10:16:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Apr 2009 10:16:35 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of skippy.hammond@gmail.com designates 209.85.198.237 as permitted sender) Received: from [209.85.198.237] (HELO rv-out-0506.google.com) (209.85.198.237) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Apr 2009 10:16:26 +0000 Received: by rv-out-0506.google.com with SMTP id k40so2004360rvb.35 for ; Tue, 14 Apr 2009 03:16:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=3sBZFLiQ7bbDc+vIKG0GdIEqOLsuMuoCaYTX2feYdlw=; b=QyOqWzY+f5ewtpJWEGaG9PP8Ilt2MoDgyTqox02ZpKIQNTW+J7nmQzs9WRdkD/WBdR z1Z2D7soJ4n0Tg6fMkHFUdY9K7UCZwuRuB9nxK4PqdGnxTjP15N39VHE0P+qLryxvUES mscaK4bSIUFhOKhI+2UKw79S/tka64G1+sGA4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; b=Jl+zBhu12b1pocVeWqa/jastE2cd5GqPqtvU33iJsLNpSNe/KPOZLj2YXwdNAziBia QqaL2XKBbMVoTKvqMsgEoM80mgAgVZVQgBJPBGa8DeecyP2H7GnzBjMxJKfaYfZqetGL Z2cHzCNOsbBYstfRdXQ3Ezg9Z7rfRMQh5JrtY= Received: by 10.141.2.18 with SMTP id e18mr3156730rvi.140.1239704164709; Tue, 14 Apr 2009 03:16:04 -0700 (PDT) Received: from ?192.168.0.12? (202.168.100.57.dynamic.rev.eftel.com [202.168.100.57]) by mx.google.com with ESMTPS id k41sm14511164rvb.6.2009.04.14.03.16.02 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 14 Apr 2009 03:16:04 -0700 (PDT) Message-ID: <49E4622F.2040108@gmail.com> Date: Tue, 14 Apr 2009 20:15:11 +1000 From: Mark Hammond Reply-To: mhammond@skippinet.com.au User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 To: user@couchdb.apache.org Subject: Re: Proposal for digital signatures of documents References: <49E29B01.3040301@gmail.com> <20090414091241.GA20903@uk.tiscali.com> In-Reply-To: <20090414091241.GA20903@uk.tiscali.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 14/04/2009 7:12 PM, Brian Candler wrote: > On Mon, Apr 13, 2009 at 11:53:05AM +1000, Mark Hammond wrote: >> Would it be possible to just list the field names rather than forcing >> another object into the mix? > ... >> { >> "_id" : "89a7stdg235", >> "_rev" : "1-26476513", >> "signed-fields: [ "message", "date", "author"] > > I can see scope for document tampering, unless signed-fields is itself > (unconditionally) signed. Yeah - I can see that the list of fields must form part of the signature. > How useful is it in practice to sign part of a document? This sounds very > application-specific to me, and something that couchdb itself should not > concern itself with. I can see a use-case for a signed message, but an application needing to change one or 2 application-specific fields without invalidating the signature (eg, it might want to record the date the signed document was added to the couch, or some other 'state'). There are probably alternative models people could use in this case, but if we can keep things simple for people, all the better. So while I agree each applications requirements will be different in some way, I can see it being helpful to many applications to allow only a subset of the fields to be signed. I hate to bring up signed blobs too - so some consideration probably needs to be given to attachments... Cheers, Mark