Re: [widget-digsig] zip relative path update from Thomas Roessler on 2009-03-18 (public-webapps@w3.org from January to March 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 18 Mar 2009 21:51:50 +0100
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Cc: ext Marcos Caceres <marcosc@opera.com>, Frederick Hirsch <Frederick.Hirsch@nokia.com>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, WebApps WG <public-webapps@w3.org>
Message-Id: <685D8A03-0D20-4342-8D0C-677345F598CB@w3.org>

I wonder what the interaction between this and a manifest approach for  
URI dereferencing would be. I could argue the case both ways, but  
would be interested in your thoughts.

--
Thomas Roessler, W3C  <tlr@w3.org>



On Mar 18, 2009, at 20:53, Frederick Hirsch  
<Frederick.Hirsch@nokia.com> wrote:

> Marcos
>
> Regarding the requirement for validity checking zip relative paths  
> in widget signature [1]  references, does the following change make  
> sense to you?:
>
> Change last paragraph in section 5.1, Use of XML Signature in  
> Widgets to (only last sentence is changed, to two new sentences):
>
> Every ds:Reference used within a widget signature MUST have a URI  
> attribute. Every ds:Reference to an item within the widget signature  
> MUST use an IDREF value for the ds:Reference URI attribute,  
> referring to a unique ID within the widget signature [XML-Schema- 
> Datatypes]. Every ds:Reference to a widget file MUST use a  URI  
> expressing the zip relative path to the widget file, properly URL  
> encoded [URI]. The zip relative path MUST conform to the  
> requirements expressed in [Widgets Packaging].
>
> Please let me know any comment or suggestion. Thanks for noting this  
> concern.
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
> [1] http://dev.w3.org/2006/waf/widgets-digsig/
>
> On Mar 17, 2009, at 8:15 AM, ext Marcos Caceres wrote:
>
>>
>> Hi Frederick,
>>
>> On 3/17/09 1:01 PM, Frederick Hirsch wrote:
>>> The latest draft includes the revised text from Thomas.
>>>
>>> Marcos, are you suggesting we add something more? It sounds like  
>>> what
>>> you are saying here, is that it should be a valid widget file. Isn't
>>> that part of P&C checking? I'm not sure what it means to check  
>>> that the
>>> paths are "as secure as possible."
>>
>> You might want to check the following section of the P&C [1] and  
>> see if
>> it is usable in dig sigs. Given that the paths in the <reference>
>> elements MUST be zip-relative-paths, the rules for checking the  
>> validity
>> of those paths may apply to the Widgets Dig Sig spec.
>>
>>
>> [1] http://dev.w3.org/2006/waf/widgets/#zip-relative-paths
>>
>

Received on Wednesday, 18 March 2009 20:52:37 UTC