Salmon signature verification and author/atom:id

[GoogleCodeExporter]

In discussion w/Will Norris, we came up with an issue.  If an entry is an 
Activity and the author(actor) has both a URI and a globally unique 
atom:id, there's an issue with which identifier to rely on.  The URI is 
discoverable and can be linked directly to the public signing key.  The 
atom:id, if present, is not necessarily discoverable (it is often a tag: 
URI) and is a permanent, persistent identifier that would be a good 
candidate for a primary foreign key for that person.  However, verifying 
the Magic Signature just verifies that the author/atom:uri claims that 
author/atom:id, not that they actually own it.  Thus I could sign a Salmon 
which has author/atom:id belonging to Will.

So 3 possible resolutions here: (1) When using signed entries, the atom:id 
of the author(actor), if present, MUST be ignored; (2) When using signed 
entries, the atom:id of the author(actor), if present, MUST be a 
discoverable URI (http(s): or acct:, not tag:); or (3) something else.

Thoughts?

Original issue reported on code.google.com by jpanzer@google.com on 2 Mar 2010 at 10:56

[GoogleCodeExporter]

Pinged Activity Streams mailing list about this issue: 
http://groups.google.com/group/activity-
streams/browse_thread/thread/d911522febb8e52a

Original comment by jpanzer@google.com on 6 Apr 2010 at 11:00

[GoogleCodeExporter]

Resolved:  The semantics of atom:id inside atom:author are irrelevant to Salmon 
and Magic 
Signatures.

Original comment by jpanzer@google.com on 15 Apr 2010 at 9:57

• Changed state: Fixed