W3C home > Mailing lists > Public > public-xmlsec@w3.org > June 2009

RE: Reminder: Comments for LCWD of Widgets 1.0: Digital Signatures due June 1

From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
Date: Thu, 4 Jun 2009 14:27:32 +0200
Message-ID: <0BE18111593D8A419BE79891F6C4690903109E21@EITO-MBX01.internal.vodafone.com>
To: "Arthur Barstow" <art.barstow@nokia.com>, "public-webapps" <public-webapps@w3.org>, <public-xmlsec@w3.org>
Hi Art, All,

Vodafone has some late comments which it would like to provide to the
group for consideration and apologise for supplying these after the

We believe that all but one of the comments is editorial and so there
inclusion or otherwise should not affect or delay the decision to go to
CR status, which we support. In submitting these comments it is not our
intention or desire to hold up this process, only to provide the
comments for consideration. 

The only comment that doesn't fit into this category is a question that
has been raised by one of our developers. My hope is that there is
already an answer!



Editorial Comments

-------[Definition of file entry]-------

Section: 1.2

"A file entry is the compressed (or Stored [ZIP]) representation of a
physical file or folder contained within a widget package, as defined in
the [Widgets Packaging] specification."

In Widgets 1.0: Packaging and Configuration [2] the file entry
definition is different.

"A file entry is the data held by a local file header, file data, and
(optional) data descriptor, as defined in the [ZIP] specification, for
each physical file contained in a Zip archive."

Comment - the inclusion of folder in the definition in [1] has caused
one reviewer to ask if there should be a reference element for folders?
I believe this is not the case and "or folder" could be removed from the

-------[Requirements accuracy]-------

Section: 2

"R52. Support for Multiple Signature Algorithms: DSA-SHA-1, RSA-SHA-1,
DSA-SHA-256 and RSA-SHA-256."

Are these algorithms still correct? DSA-SHA-256 and RSA-SHA-1 should
probably be removed as they are not required algorithms. ECDSA-SHA-256
could be added. 

[Conflict between mandatory statements]

"A user agent MAY support additional signature algorithms." (Section:
"A user agent MAY support additional digest methods." (Section: 6.2)
"A user agent MAY support additional XML canonicalization methods."
(Section: 6.3)

Section: 7.1
"The Algorithm attribute of the ds:digestMethod MUST be one of the
digest algorithms."
"The Algorithm attribute of the ds:CanonicalizationMethod element MUST
be one of the canonicalization algorithms."
"The ds:SignatureMethod algorithm used in the ds:SignatureValue element
MUST be one of the signature algorithms."

Comment - If in section 6 we say "A user agent MAY support additional
XXX algorithms", which seems to be in conflict with section 7 that
states the algorithm used must be one of algorithms listed in section 6.
This seems to be an open ended requirement.

Suggestion - Remove the statements in section 7.1. It is down to the
signer to choose the algorithm to use. If they choose to use a
non-recommended algorithm they should understand that user agent support
cannot be guaranteed. 

Question / non-editorial

-------[Support for certificate chains]-------

Typically more than one X509 certificate will need to be included in the
signature in order to construct a certificate chain to an installed root
certificate. Ideally the widget user agent would be given an indication
of how to re-construct the certificate chain. This could be done my
recommending that X509Certificate elements be included in certificate
chain order or by including an attribute to the element, e.g.

	 <X509Certificate order="1">...</X509Certificate>
	 <X509Certificate order="2">...</X509Certificate>
	 <X509Certificate order="3">...</X509Certificate> </X509Data>

Maybe this is already solved with other uses of XML Digital Signatures?

[1] http://dev.w3.org/2006/waf/widgets-digsig/
[2] http://www.w3.org/TR/widgets/#definitions




-----Original Message-----
From: public-webapps-request@w3.org
[mailto:public-webapps-request@w3.org] On Behalf Of Arthur Barstow
Sent: 21 May 2009 18:23
To: public-webapps; public-xmlsec@w3.org
Subject: Reminder: Comments for LCWD of Widgets 1.0: Digital Signatures
due June 1

Hi All - a friendly reminder June 1 is the end of the comment period for
the April 30 Widgets 1.0: Digital Signatures Last Call Working


Please send all comments by June 1.

-Regards, Art Barstow

On May 1, 2009, at 10:48 AM, Barstow Art (Nokia-CIC/Boston) wrote:

> On April 30 the WebApps WG published a LCWD of the Widgets 1.0 Digital

> Signatures spec:
> [[
> <http://www.w3.org/TR/2009/WD-widgets-digsig-20090430/>
> Introduction
> This document defines a profile of the XML Signature Syntax and 
> Processing 1.1 specification to allow a widget package to be digitally

> signed. Widget authors and distributors can digitally sign widgets as 
> a mechanism to ensure continuity of authorship and distributorship. 
> Prior to instantiation, a user agent can use the digital signature to 
> verify the integrity of the widget package and to confirm the signing 
> key(s). This document specifies conformance requirements on both 
> widget packages and user agents.
> A widget package can be signed by the author of the widget producing 
> an [XMLDSIG11] signature that cryptographically includes all of the 
> file entries other than signature files. A widget package can also be 
> signed by one or more distributors of the widget, producing 
> [XMLDSIG11] signatures that each cryptographically includes all of the

> non-signature file entries as well as any author signature.
> ]]
> We explicitly seek comments from the XML Security WG; comments from 
> other WGs as well as the TAG are welcome.
> The comment period ends 1 June 2009.
> All comments should be sent to public-webapps@w3.org [1].
> -Regards, Art Barstow
> [1] <http://lists.w3.org/Archives/Public/public-webapps/>
Received on Thursday, 4 June 2009 12:28:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:11 UTC