incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <>
Subject Re: Proposal for digital signatures of documents
Date Tue, 14 Apr 2009 17:45:58 GMT
On Tue, Apr 14, 2009 at 3:15 AM, Mark Hammond <> wrote:
> On 14/04/2009 7:12 PM, Brian Candler wrote:
>> On Mon, Apr 13, 2009 at 11:53:05AM +1000, Mark Hammond wrote:
>>> Would it be possible to just list the field names rather than forcing
>>> another object into the mix?
>> ...
>>>       {
>>>         "_id" : "89a7stdg235",
>>>         "_rev" : "1-26476513",
>>>         "signed-fields: [ "message", "date", "author"]
>> I can see scope for document tampering, unless signed-fields is itself
>> (unconditionally) signed.
> Yeah - I can see that the list of fields must form part of the signature.
>> How useful is it in practice to sign part of a document? This sounds very
>> application-specific to me, and something that couchdb itself should not
>> concern itself with.

Another important case for signing parts of documents is when you have
a document being updated by multiple authors. Each can sign their
updates and append them to an array. Or something.

In my mind doc-signing is an application concern, not a CouchDB
concern. If a bunch of applications use a common envelope that will
make code reuse easier, but I don't think CouchDB needs to know about
signing specifically. Validation functions are all we need to prevent
invalidly signed documents from being propagated.

My hope is that the code I'm working on will be CouchDB-agnostic as
well, so special-cases like ignoring _rev in signatures should not be
coded into the library. Signing document parts gives us the power to
work with CouchDB without being tied to it.

> I can see a use-case for a signed message, but an application needing to
> change one or 2 application-specific fields without invalidating the
> signature (eg, it might want to record the date the signed document was
> added to the couch, or some other 'state').  There are probably alternative
> models people could use in this case, but if we can keep things simple for
> people, all the better.
> So while I agree each applications requirements will be different in some
> way, I can see it being helpful to many applications to allow only a subset
> of the fields to be signed.
> I hate to bring up signed blobs too - so some consideration probably needs
> to be given to attachments...

Likely so -- just trying to get to hello-world for now.

Chris Anderson

View raw message