- From: Marcos Caceres <marcosc@opera.com>
- Date: Tue, 24 Feb 2009 23:33:55 +0100
- To: Frederick Hirsch <frederick.hirsch@nokia.com>
- Cc: "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Hi Frederick, On Tue, Feb 24, 2009 at 11:19 PM, Frederick Hirsch <frederick.hirsch@nokia.com> wrote: > The Widget Signature spec is not an API definition so probably does not need > to define how signature status information is returned. You are right, so agreed. > I also agree that it > would be incorrect to define in the Widget Signature spec whether or not a > widget is valid, that is out of scope. Right again. > The spec limits itself to signature > validation. However I would not want to be prescriptive in the > specification to the level of status return codes. Ok, makes sense. > We may want to add a security considerations note along the lines of > > "As distributor signatures are not included in an overall widget signature, > it is possible for signatures to be added or removed and hence a secure > channel for widget delivery might be preferable." Ok, that is also an important security consideration. Should definitely have that in the spec under security considerations or some such section. -- Marcos Caceres http://datadriven.com.au
Received on Tuesday, 24 February 2009 22:34:43 UTC