Re: [widgets] Jar signing vs. XML signatures

On Apr 15, 2009, at 21:00 , Jonas Sicking wrote:
> This is a really bad reason not to rework the widget signing spec. I
> really hope that there are other more technical reasons that is
> keeping us from reworking the spec.

It's not an ideal reason, but it's not a bad one. This specification  
has been in the works for a fair while and people have had a chance to  
comment. I wasn't on the WG when using JAR was discussed but it was,  
and it was rejected.

We (the WG) have committed to a timeline, we made promises, and people  
outside of the WG have made decisions based on this commitment. There  
was no objection to doing this at the time. It doesn't help us to be  
fickle.

 From an implementer's point of view, I think that the situation is  
fairly simple: implementers who intend to ship on mobile devices (that  
is, pretty much everyone, though I don't know what the plan is for  
Fennec) will have to support what OMTP Bondi mandates for signatures  
because it's a terminal requirement. If W3C deviates from its time  
commitment and announced feature-stability, what will happen is that  
Bondi will just take the current draft, make a few minor edits, and  
ship that. That means implementers will have to support both what we  
have today, and what we could change to. Chances are, in practice,  
that's going to be a fair bit more complex than just supporting the  
one thing.

-- 
Robin Berjon - http://berjon.com/
     Feel like hiring me? Go to http://robineko.com/

Received on Friday, 17 April 2009 13:08:05 UTC