- From: Paddy Byers <paddy.byers@gmail.com>
- Date: Wed, 7 Oct 2009 14:28:49 +0100
- To: Device APIs and Policy Working Group WG <public-device-apis@w3.org>
Received on Wednesday, 7 October 2009 13:29:24 UTC
Hi, Is revocation in scope of the DAP policy v1, or should it be deferred to > v.next? > > Proposal: defer to v.next > > Rationale: More than one mechanism might be used to implement revocation, > so it can be deployment specific. > In Widgets DigSig [0] we just have the (non-normative) note: > Note: A user agent's security policy can affect how signature validation > impacts operation, and may** have additional constraints on establishing > trust, including additional requirements on certificate chain validation and > certificate revocation processing using CRLs [RFC5280] or OCSP [RFC2560]. > There are no explicit requirements, nor non-normative implementation advice, as to whether a UA performs status/CRL processing for any/all of the certs in a chain at the time of installation, or at any other time. Does anyone know the history of how WebApps arrived at that position? Too hard to agree, not in scope, or not enough time? Paddy [0]: http://dev.w3.org/2006/waf/widgets-digsig/#use
Received on Wednesday, 7 October 2009 13:29:24 UTC