Signing events

[Bob Denny]

You said:
> In the longer term, I can imagine a whole panoply of different uses for signed events, and that's the problem: if we deploy Bob's system now, does that damage our future prospects? If we follow a more complex scheme, is it going to hit a complexity wall – or, at least, take so long to mature that it can't meet our needs this year?
Of course, as Norm points out (and as have others before him over 6 years) there
are all of the old objections like "what if we rip apart the message and
normalize it, and store it in a mapped database, or run it through a DOM, blah
blah, and then later reconstruct it in a normalized form, and..." Feel free to
chase your collective tails for another 6 years.

Meanwhile, if you are OK with the VOEvent message not being altered (_which
after all seems to be the whole idea to me_), and if you are OK with using
PROVEN/VETTED security tools (GPG/PGP) which are widely understood/accepted and
which do not require expensive or untrusted (and difficult to manage) X.509
certs, and and and... No libraries. Just a command line executable. I'm waiting
for the "scalability card" to be pulled next :-)) The DigiSig option of the
Transport 1.1 spec provides publisher authentication and message integrity. The
logic needed is trivial as shown by the simple perl scripts that are published
in the Transport 1.1 IVOA Note. If you haven't looked at it, it might be nice to
do so.

And are we ever going to stop calling Transport "vTCP" or "vanilla" or ??? which
is not indicative of the particular spec ("Handshake" or "IVOA Note",
significant differences!) and elicits the type of question to which Alasdair
just responded, and which comes from those who just don't want to learn the
details about it?

  -- Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ivoa.net/pipermail/voevent/attachments/20120305/12c9d477/attachment.html>