Trouble with signature filter skipping

Cantor, Scott cantor.2 at
Fri Sep 14 13:25:49 EDT 2018

On 9/14/18, 10:55 AM, "users on behalf of Guillaume Rousse" <users-bounces at on behalf of guillaume.rousse at> wrote:

> This would achieve caching in addition to backup. If such a change is 
> considered favorable, I'd be ready to contribute it myself.

The problem isn't downloading the file, it's parsing it, and fixing that would be a massive change, and risky, and it solves a problem you're creating yourself by doing something the SP absolutely doesn't want you do to. Metadata is meant to be loaded globally, not per-override, and something of this size makes no sense to load any other way.
> Is it a design decision, or merely an implementation issue ?
> Because that's quite counter-intuitive, and also prevents to exchange signature
> checking in favor of metadata source authentication, which doesn't 
> suffer from CPU usage bottleneck.

Both. The trust model is inherently based on signed metadata that can't be modified in transit or by network proxies, and even if it weren't, a model based on a key that has to be exposed to a web server has very different risks. I realize that people are doing dynamic metadata by doing online signing too, but they don't have to, it's possible to segregate the signing operations with a key that is very far from wide exposure to network access.

You're suggesting putting a CA online. That is a bad idea.

-- Scott

More information about the users mailing list