Re: [widgets] How to divorce widgets-digsig from Elliptic Curve PAG?

Undated references (what you are suggesting) has the MAJOR PROBLEM that it makes it DIFFICULT/IMPOSSIBLE to do validation of any product that claims conformance to a standard – since it's impossible to determine which version of each undated reference they used.  Additionally, it makes interoperability difficult/impossible since you can have multiple valid conforming implementations BUT they don't actually interoperate due to changes between revisions (and algo changes would be a good example of such an interoperability issue).

Leonard

From: Marcos Caceres <marcosscaceres@gmail.com<mailto:marcosscaceres@gmail.com>>
Date: Fri, 16 Dec 2011 22:49:01 -0800
To: Marcos Caceres <w3c@marcosc.com<mailto:w3c@marcosc.com>>
Cc: Rigo Wenning <rigo@w3.org<mailto:rigo@w3.org>>, "Frederick.Hirsch@nokia.com<mailto:Frederick.Hirsch@nokia.com>" <Frederick.Hirsch@nokia.com<mailto:Frederick.Hirsch@nokia.com>>, "Art.Barstow@nokia.com<mailto:Art.Barstow@nokia.com>" <Art.Barstow@nokia.com<mailto:Art.Barstow@nokia.com>>, Thomas Roessler <tlr@w3.org<mailto:tlr@w3.org>>, Doug Schepers <schepers@w3.org<mailto:schepers@w3.org>>, "plh@w3.org<mailto:plh@w3.org>" <plh@w3.org<mailto:plh@w3.org>>, "public-webapps@w3.org<mailto:public-webapps@w3.org>" <public-webapps@w3.org<mailto:public-webapps@w3.org>>, "public-xmlsec@w3.org<mailto:public-xmlsec@w3.org>" <public-xmlsec@w3.org<mailto:public-xmlsec@w3.org>>
Subject: Re: [widgets] How to divorce widgets-digsig from Elliptic Curve PAG?

I think I have a better solution...

1. Widgets points to unversioned:  http://www.w3.org/TR/xmldsig-core/
2. when XML dig sig pag finishes and spec goes to rec, XML Dig Sig 1.X (and future versions) gets put at http://www.w3.org/TR/xmldsig-core/
3. Done.

That way widgets always just depend on latest and greatest version of XML dig sig and are not locked into 1.1 (I just finished slamming the XHTML guys for locking into XML 4ed, so it would be ironic/moronic for me to then do the same with widget's dependency on XML Dig Sig 1.1 - so I simply won't do that).

I think that solves the problem much more elegantly both for widgets, and for everyone else waiting for the PAG to progress. What is needed from the XML Security Group is assurance that all future Recs of XML Dig Sig will be published at http://www.w3.org/TR/xmldsig-core/ (or http://www.w3.org/TR/xmldsig-latest/ if you don't want to obsolete 1.0 with 1.1 - though that would be confusing given that 1.1 fixes 1.0 hence making 1.0 obsolete).

Unicode, SVG, and WHATWG HTML use this model effectively already, so it would be good if XML dig sigs did the same. It solves the problem now and for all future versions without need to wait on the resolution of the PAG... And the automatically benefits once the PAG sorts itself out. Simple and beautiful! :)

Kind regards,
Marcos


On Thursday, December 15, 2011, Marcos Caceres <w3c@marcosc.com<mailto:w3c@marcosc.com>> wrote:
>
>
> On Wednesday, December 14, 2011 at 10:31 PM, Marcos Caceres wrote:
>
>>
>>
>> On Wednesday, 14 December 2011 at 21:06, Rigo Wenning wrote:
>>
>> > Hi all,
>> >
>> > as the PAG chair of this XMLSEC PAG, let me tell you that support from the
>> > industry in sorting this out was low so far. What I heard through the
>> > grapevine was more or less: "We know, but we can't tell you".
>> >
>> > For the moment, W3C is asking for cost estimates to figure out what most of
>> > the members already know (as they have done the analysis on ECC long ago).
>> > Taking into account the complexity of the subject matter and also the delays
>> > due to messaging to the AC etc, I'm rather pessimistic about a quick
>> > resolution.
>>
>>
>> That's fine. That just makes for a stronger case to put to the Director (or for doing what Artb suggested, and moving the ECC to a future version of XML Dig Sig).
> FYI, document is ready to be published as REC:
>
>  http://dev.w3.org/2006/waf/widgets-digsig/
>
>
> --
> Marcos Caceres
>
>
>
>

Received on Sunday, 18 December 2011 17:46:02 UTC