Alternatie proposal for digital signatures

[Rob Seaman]

I'm the guy Bob talked to.  Glad to see we were all pent up and ready  
to wrestle with VOEvent issues again!

Matthew mentions:

> One of the main motivations for using X.509 certificates and XML  
> digital signatures is that this is the security model recommended by  
> the International Virtual Observatory Alliance (IVOA) which defined  
> the VOEvent standard. Consistency and interoperability are often  
> better goals than an easier implementation.


I'd say "operability" is the key figure of merit here.  As with a lot  
of other IVOA technologies, VOEvent can serve as a bellweather.  I'll  
be happy with any authentication technique that is responsive to the  
requirements and is functional in the real world - after all, Steve  
was signing VOEvent packets in Aspen in 2005 on a talking laptop.

Let's have a bake-off...

Steve states:

> There is also the tangle of XML canonicalization.  Two XML documents  
> can be content-identical without being byte-identical, and tools  
> that handle XML documents may reformat the bytes.  This is beyond  
> the ken of PGP/GPG.


My comment to Bob was that canonicalization was going to be a bigger  
issue for VOEvent than the signing technology per se.  Thoughts on  
whether this could be a separate preprocessing step before signing?

Roy relates:

> Our upcoming Interop meeting is 19-23 May, in Trieste, Italy. We  
> will have a VOEvent session on signatures, and I invite you to talk  
> there if you could manage to get all that way!

I think this thread bodes well for the hubbub to be anticipated at the  
signing session, whoever attends.

Rob