w3c / pwpub

W3C packaged Web Publications
https://w3c.github.io/pwpub/
Other
15 stars 9 forks source link

Allow signing the components of a package #31

Closed llemeurfr closed 5 years ago

llemeurfr commented 5 years ago

The new packaging format should not mix xml with json. Therefore the reuse of the signature.xml file is not the way to go and we have to find a "json" way to handle the signature of WP resources.

iherman commented 5 years ago

I am not an expert in this area, but I stumbled across these references:

These are all proposed RFC standards. Bottom line: there are a number of JSON-based specifications that could be used...

dauwhe commented 5 years ago

How many creators of EPUB sign their EPUBs? Do any existing audiobook workflows or formats involve digitally signing the files? Blackstone's format does provide a way to record the hash of the individual audio files... is this enough for existing uses?

GarthConboy commented 5 years ago

At least for now [audiobooks] (and likely long term), I'd just expunge signature.xml.

geoffjukes commented 5 years ago

We (Blackstone) do not digitally sign our audio or epubs. We do (as @dauwhe mentions) gather an MD5, which is used by our apps to validate a download is complete. Could be facilitated with w3c/wpub#398 ?

iherman commented 5 years ago

I have a preference for something like https://github.com/w3c/wpub/issues/398, just as @geoffjukes proposes. Having yet another separate file sounds over the top; having slots in the metadata file for some sort of a checksum sounds reasonable (and also mimics what happens elsewhere).

laudrain commented 5 years ago

@dauwhe actually at Hachette Livre digital distribution, we do sign our EPUBs and send the MD5 in the ONIX feed describing the file. That's systematic.

BigBlueHat commented 5 years ago

A signature of the JSON won't be a signature of the package nor its contents, so the scenarios and moment of verification should be considered thoroughly.

iherman commented 5 years ago

This issue was discussed in a meeting.

llemeurfr commented 5 years ago

Proposal:

iherman commented 5 years ago

This issue was discussed in a meeting.

llemeurfr commented 5 years ago

no update needed.