- From: David Rogers <david.rogers@omtp.org>
- Date: Wed, 27 Aug 2008 10:42:12 +0100
- To: <public-webapps@w3.org>, "Marcos Caceres" <marcosscaceres@gmail.com>, <art.barstow@nokia.com>
- Cc: "Nick Allott" <nick.allott@omtp.org>
- Message-ID: <4C83800CE03F754ABA6BA928A6D94A0601588697@exch-be14.exchange.local>
Dear all, As discussed in the meeting today, please find further details in the OMTP BONDI submission of non-W3C member inputs - members of OMTP that have contributed that have not signed the RF policy of W3C. This applies to "BONDI Comments to W3C Web Applications WG Widget Requirements OMTP Public Working Draft v1_0" [1]. Please note, there were no non-member contributions to the OMTP BONDI submission to W3C[2]. The relevant text is shown highlighted in the attached pdf and also shown as plain text below, marked with the excerpted text from the document with guillemets << >>. "RXX. Support for Multiple Message Digest Algorithms A conforming specification SHALL specify that where the integrity of data is protected using a message digest, it SHALL be possible to use the SHA-1 message digest algorithm and <<SHALL>> be possible to use the SHA-256 message digest algorithm." ... "RXX. Key Lengths A conforming spec SHALL specify that widget processing environments SHALL support RSA with key lengths up to at least 2048 bits and SHALL support DSA with key lengths up to at least 2048 bits (see NIST Recommendation <http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf> ). A conforming spec SHALL recommend that widget signing tools SHALL support and use RSA with key lengths of at least 2048 bits and DSA with key lengths of at least 2048 bits (see NIST Recommendation <http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf> ). Motivation: Security <http://www.w3.org/TR/2008/WD-widgets-reqs-20080625/#security0> Rationale: To be in-line with current security recommendations and provide longevity of the system security. <<In some use cases it may be desirable to use key lengths of less than 2048 bits, e.g. where the impact on performance outweighs the additional security afforded.>> " ... "RXX. Key Usage Extension A conforming specification MUST specify the expected use of valid key usage extensions and when present (in end entity certs) MUST specify that implementations verify that the extension has the digitalSignature bit set. A conforming specification MUST specify that implementations recognize the extended key usage extension and when present (in end entity certs) verify that the extension contains the id-kp-codeSigning object identifier. <<A conforming specification MAY also define a new OID specifically for widget signing, and specify that implementations verify that the extended key usage extension in the end entity cert contains this new OID.>>" Thanks, David. [1] http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0302.html [2] http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0308.html
Attachments
- application/octet-stream attachment: Non-W3C RF committed contributions highlighted - BONDI_Comments_To_W3C_Web_Applications_WG_Widget_Requirements_OMTP_Public_Working_Draft_v1_0.pdf
Received on Wednesday, 27 August 2008 09:43:30 UTC