[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-security
Subject:    Re: Signed scripts ?
From:       Mitch Stoltz <mstoltz () netscape ! com>
Date:       2000-03-29 2:09:24
[Download RAW message or body]

Biju,
   Exactly. We're now signing the whole file, not just the Javascript, on the
assumption that site developers want to finish their pages and then sign them
before publishing. With the new syntax, they don't have to go back through and
add ID and ARCHIVE tags in order to sign pages. True, any change to the HTML
will mean having to re-sign, but this way is more straightforward.

>
> From your description, it looks like you are signing the whole HTML file
> rather than only-the-Javascript model from Netscape 4.x. Please
> correct me if I am wrong ? The advantage of this apparently being
> that you dont have to introduce any additional attributes for the HTML
> tags (like ARCHIVE and ID). The disadvantage being more information is
> signed than needed since we need to protect accesses from Javascript
> only. So, the JAR files for 4.x and mozilla will be different and if anyone
>
> needs to support applications running across versions, it introduces
> a minor problem of maintaining two different JAR files (though not a big
> issue).

[prev in list] [next in list] [prev in thread] [next in thread]