W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] dig sig and requirements ready for pub!

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Mon, 4 May 2009 13:08:49 -0400
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>, ext Kai Hendry <hendry@aplix.co.jp>, Thomas Roessler <tlr@w3.org>, public-webapps <public-webapps@w3.org>
Message-Id: <F0A1CF9A-2701-4EFE-9625-13CE3694DCBB@nokia.com>
To: "marcosc@opera.com" <marcosc@opera.com>
The spec is more than a UA spec, it also describes signature format  
which affects parties other than the UA (e.g. audit etc)


regards, Frederick

Frederick Hirsch
Nokia



On May 4, 2009, at 12:42 PM, ext Marcos Caceres wrote:

> On Mon, May 4, 2009 at 4:13 PM, Frederick Hirsch
> <Frederick.Hirsch@nokia.com> wrote:
>> The Identifier property is useful for audit and management in the  
>> backend.
>>  I believe this should remain in the specification and should  
>> remain a
>> normative section, agreeing with Thomas note in the chat. It was  
>> added based
>> on requirements from WG members.
>>
>
> I understand the use case, but i still don't understand why we are
> mandating the use of the dsp:Identifier if it's not going to be used
> by the UA? If a signer wants to use dsp:Identifier for whatever
> reason, then are free to do so by using the Signature Properties spec.
> Putting something in the spec that does not do anything doesn't make
> sense to me.
>
>> Thomas mentioned in the chat the means to obtain unique values,  
>> e.g. large
>> random number, serial number + DNS  etc, but I think this can be  
>> out of
>> scope of the spec.
>>
>> Currently the specification states
>> Each widget signature MUST contain a dsp:Identifier signature  
>> properties
>> element compliant with XML Signature Properties [XMLDSIG- 
>> Properties] and
>> this specification.
>>
>> We can add, "A signer MUST place the dsp:Identifier signature  
>> property into
>> the signature when generating the signature." if necessary.
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>
>> On May 4, 2009, at 9:38 AM, Barstow Art (Nokia-CIC/Boston) wrote:
>>
>>> Kai - this is a good question.
>>>
>>> Frederick - we (MC, TLR and I) talked about this in IRC today.  
>>> Please
>>> take a look and let us know your thoughts:
>>>
>>>  <http://krijnhoetmer.nl/irc-logs/webapps/20090504>
>>>
>>> -Regards, Art Barstow
>>>
>>>
>>> On May 1, 2009, at 6:49 AM, ext Kai Hendry wrote:
>>>
>>>> http://dev.w3.org/2006/waf/widgets-digsig/#identifier-signature-
>>>> property
>>>>
>>>> I'm not sure what "signature management" is exactly, though can
>>>> someone please inform me what a UA is supposed to do with
>>>> dsp:Identifier?
>>>>
>>>>
>>>> I'm also keen on seeing a simple self sign sign/verify example  
>>>> using
>>>> http://www.aleksey.com/xmlsec/ or some other opensource tool.
>>>>
>>>>
>>>> Kind regards,
>>>>
>>>
>>
>>
>>
>
>
>
> -- 
> Marcos Caceres
> http://datadriven.com.au
Received on Monday, 4 May 2009 17:11:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT