W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [widgets] Editorial Comments on 18-Aug-2009 LCWD of A&E spec

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 21 Sep 2009 20:08:27 +0200
Message-ID: <b21a10670909211108x7d2072a2of15a76d5892317ca@mail.gmail.com>
To: Arthur Barstow <Art.Barstow@nokia.com>
Cc: public-webapps <public-webapps@w3.org>
2009/9/15 Marcos Caceres <marcosc@opera.com>:
> Arthur Barstow wrote:
>> On Sep 14, 2009, at 11:00 AM, ext Marcos Caceres wrote:
>>> On Mon, Sep 14, 2009 at 1:33 PM, Arthur Barstow
>>> <Art.Barstow@nokia.com> wrote:
>>>> On Sep 13, 2009, at 1:06 PM, ext Marcos Caceres wrote:
>>>>> It is optional for a user agent to support the widgets
>>>>> [Widgets-DigSig] specification.
>>>>> ]]
>>>> Why did you add the DigSig text above and new DigSig paragraph below the
>>>> Note (Section 4)? This spec should focus exclusively on the A&E UA.
>>> The reason is that currently, the following text does not have a home:
>>> [[A user agent must prevent a browsing context of a widget from
>>> accessing (e.g., via scripts, CSS, HTML, etc.) the contents of a
>>> digital signature document unless an access control mechanism
>>> explicitly enables such access, e.g. via an access control policy. The
>>> definition of such a policy mechanism is beyond the scope this
>>> specification, but can be defined by implementers to allow access to
>>> all or parts of the signature documents, or deny any such access. An
>>> exception is if a user agent that implements this specification also
>>> implements the optional [Widgets-DigSig] specification, in which case
>>> the user agent must make digital signature documents available only to
>>> the implementation of the [Widgets-DigSig] specification; a user agent
>>> must not make the digital signatures accessible to scripting or other
>>> content loading mechanisms, unless explicitly enabled by an access
>>> control mechanism.]]
>>> This spec seems like a good home for the text above (hence the
>>> optionality of widgets dig sig).
>> I kinda' understand the general concern, but I don't think the lack of a
>> "home" for this spec is sufficient rationale to make the quoted text
>> above normative in this spec.
> Agreed.
>> We should try to keep these specs as independent as possible.
> Agreed.
>> It also isn't clear how one would test the "unless" clause of the first
>> statement for a black-box implementation of the A&E spec.
> We need to plug this hole somewhere/somehow. I'll take this out of the spec, but this text needs to be captured as a formal issue with widgets that _must_ be addresses before we wrap up this work.

Ok, I've deleted the assertion.

Marcos Caceres
Received on Monday, 21 September 2009 18:09:13 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:18 UTC