[widget-digsig] zip relative path update

Marcos

Regarding the requirement for validity checking zip relative paths in  
widget signature [1]  references, does the following change make sense  
to you?:

Change last paragraph in section 5.1, Use of XML Signature in Widgets  
to (only last sentence is changed, to two new sentences):

Every ds:Reference used within a widget signature MUST have a URI  
attribute. Every ds:Reference to an item within the widget signature  
MUST use an IDREF value for the ds:Reference URI attribute, referring  
to a unique ID within the widget signature [XML-Schema-Datatypes].  
Every ds:Reference to a widget file MUST use a  URI expressing the zip  
relative path to the widget file, properly URL encoded [URI]. The zip  
relative path MUST conform to the requirements expressed in [Widgets  
Packaging].

Please let me know any comment or suggestion. Thanks for noting this  
concern.

regards, Frederick

Frederick Hirsch
Nokia


[1] http://dev.w3.org/2006/waf/widgets-digsig/

On Mar 17, 2009, at 8:15 AM, ext Marcos Caceres wrote:

>
> Hi Frederick,
>
> On 3/17/09 1:01 PM, Frederick Hirsch wrote:
>> The latest draft includes the revised text from Thomas.
>>
>> Marcos, are you suggesting we add something more? It sounds like what
>> you are saying here, is that it should be a valid widget file. Isn't
>> that part of P&C checking? I'm not sure what it means to check that  
>> the
>> paths are "as secure as possible."
>
> You might want to check the following section of the P&C [1] and see  
> if
> it is usable in dig sigs. Given that the paths in the <reference>
> elements MUST be zip-relative-paths, the rules for checking the  
> validity
> of those paths may apply to the Widgets Dig Sig spec.
>
>
> [1] http://dev.w3.org/2006/waf/widgets/#zip-relative-paths
>

Received on Wednesday, 18 March 2009 19:54:49 UTC