- From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
- Date: Thu, 19 Mar 2009 14:50:52 +0100
- To: "Frederick Hirsch" <Frederick.Hirsch@nokia.com>, "WebApps WG" <public-webapps@w3.org>
- Cc: "Marcos Caceres" <marcosscaceres@gmail.com>
- Message-ID: <0BE18111593D8A419BE79891F6C4690902B1CC2E@EITO-MBX01.internal.vodafone.com>
Hi Frederick, I agree with all of your changes with two comments. The sentence: "The Signature MUST be produced using a key of the recommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> " is still problematic given that we allow (although discourage) key lengths less than the recommended key length, and probably don't want to rule out the use of longer keys. Suggest changing to: "The Signature SHOULD be produced using a key of the recommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> . The Signature MUST comply with Signature method algorithm requirements in the Algorithms section of this document" I also think we need to link recommended key length to algorithms now we allow other algorithms to be used, ie if ECDSA is used it would be OK to use shorter keys. Thanks, Mark ________________________________ From: Frederick Hirsch [mailto:Frederick.Hirsch@nokia.com] Sent: 18 March 2009 20:34 To: WebApps WG Cc: Frederick Hirsch; Priestley, Mark, VF-Group; Marcos Caceres Subject: [widget-digsig] proposed change to 7.1, common constraints, for algorithms Mark One issue you raised was that we have MUSTS on algorithms in the processing rules in section 7.1, but allow other algorithms in the algorithm section with MAY. After our previous email exchange, I suggest the following changes to section 7.1 in Widget Signature [1] to address this concern: (1) Change item 3b from The Algorithm attribute of the ds:digestMethod MUST be set to a digest algorithm specified in the Algorithms section of this document. to The Algorithm attribute of the ds:digestMethod MUST comply with the digest algorithm requirements specified in the Algorithms section of this document. (2) Change 5a from The Algorithm attribute of the ds:CanonicalizationMethod element MUST be set to a Canonicalization method specified in the Algorithms section of this document. to The Algorithm attribute of the ds:CanonicalizationMethod element MUST comply with the Canonicalization method algorithm requirements specified in the Algorithms section of this document. (3) Change 5b from The ds:SignatureValue element MUST contain a signature generated using a Signature method specified in the Algorithms section of this document and MUST use a key that is of the length of arecommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> . to The Signature method algorithm used in the ds:SignatureValue element MUST comply with Signature method algorithm requirements in the Algorithms section of this document. The Signature MUST be produced using a key of the recommended key length <http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> Does this change make sense? Do you have any suggestion or comment? Thanks for the careful review of the draft. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ [mp] While this is better I think it misses the fact that we are strongly recommending the use of certain algorithms. I still like the idea of including authoring (signing) guidelines/recommendations, ie you can sign your widget using any signature algorithm but if you want it to work across all W3C widget user agents use algorithm X. Same sort of thing for digest algorithm and key length. What do you think?
Received on Thursday, 19 March 2009 13:51:45 UTC