W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2009

Re: ISSUE-27: [Policy] Is revocation in scope [Security Policy Framework General]

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Wed, 7 Oct 2009 09:56:02 -0400
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Device APIs and Policy Working Group WG <public-device-apis@w3.org>
Message-Id: <83AD29B5-A0F4-4317-BB5D-445FDB5D96C6@nokia.com>
To: ext Paddy Byers <paddy.byers@gmail.com>
We did not want to constrain the implementation given various  
possibilities, yet allow CRLs and OCSP where appropriate. We also did  
not want to bring in all the nuances of PKI into the spec.

regards, Frederick

Frederick Hirsch
Nokia



On Oct 7, 2009, at 9:28 AM, ext Paddy Byers wrote:

> Hi,
>
> Is revocation in scope of the DAP policy v1, or should it be  
> deferred to v.next?
>
> Proposal: defer to v.next
>
> Rationale:  More than one mechanism might be used to implement  
> revocation, so it can be deployment specific.
>
> In Widgets DigSig [0] we just have the (non-normative) note:
> Note: A user agent's security policy can affect how signature  
> validation impacts operation, and may have additional constraints on  
> establishing trust, including additional requirements on certificate  
> chain validation and certificate revocation processing using CRLs  
> [RFC5280] or OCSP [RFC2560].
>
> There are no explicit requirements, nor non-normative implementation  
> advice, as to whether a UA performs status/CRL processing for any/ 
> all of the certs in a chain at the time of installation, or at any  
> other time. Does anyone know the history of how WebApps arrived at  
> that position? Too hard to agree, not in scope, or not enough time?
>
> Paddy
>
> [0]: http://dev.w3.org/2006/waf/widgets-digsig/#use
Received on Wednesday, 7 October 2009 13:57:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:39 UTC