W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2009

(wrong string) €” General]

From: Paddy Byers <paddy.byers@gmail.com>
Date: Wed, 7 Oct 2009 14:28:49 +0100
Message-ID: <59db1b5a0910070628vaa98a05he815fbd2b2b79f46@mail.gmail.com>
To: Device APIs and Policy Working Group WG <public-device-apis@w3.org>

Is revocation in scope of the DAP policy v1, or should it be deferred to
> v.next?
> Proposal: defer to v.next
> Rationale:  More than one mechanism might be used to implement revocation,
> so it can be deployment specific.

In Widgets DigSig [0] we just have the (non-normative) note:

> Note: A user agent's security policy can affect how signature validation
> impacts operation, and may** have additional constraints on establishing
> trust, including additional requirements on certificate chain validation and
> certificate revocation processing using CRLs [RFC5280] or OCSP [RFC2560].
There are no explicit requirements, nor non-normative implementation advice,
as to whether a UA performs status/CRL processing for any/all of the certs
in a chain at the time of installation, or at any other time. Does anyone
know the history of how WebApps arrived at that position? Too hard to agree,
not in scope, or not enough time?


[0]: http://dev.w3.org/2006/waf/widgets-digsig/#use
Received on Wednesday, 7 October 2009 13:29:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:32:12 UTC