RE: [Policy] [ACTION-152] Editor Updates to Policy Requirements and Policy Framework from Arribas, Laura, VF-Group on 2010-05-05 (public-device-apis@w3.org from May 2010)

From: Arribas, Laura, VF-Group <Laura.Arribas@vodafone.com>
Date: Wed, 5 May 2010 15:29:14 +0200
To: "Nilsson, Claes1" <Claes1.Nilsson@sonyericsson.com>, "W3C Device APIs and Policy WG" <public-device-apis@w3.org>
Message-ID: <E71B6B341C8C3D47AA1288D9E719D1C503BA9033@VF-MBX12.internal.vodafone.com>

Hi Claes,

Sorry for the delay answering to your e-mail. Please find my comments
below.

> Section 3.3.1 Widget Attributes:
> * Why is only "common name" used for distributor, distributor root,
author and author root certificates? Don't we the whole "subject" to get
a more flexible identification of a widget resource?
I see your point and agree that considering the whole subject for the
root certificates may make more sense, since the subject for the root
certificates it very likely to stay the same. However, for other
certificates I don't believe using the whole subject to identify a
widget is the best option, since: i) the probability that the fields in
the subject change is very high; ii) according to the standards the
fields in the subject are order independent, which means that when
comparing the content of the subject with the policy, a different order
could mean that the subject-match is not met even if the subject fields
have the same values; iii) there is no limit on the size of the subject,
which could potentially be a problem.

> Section 3.3.2 Website Attributes: 
> In order to securely identify a web site and achieve the granularity
of a specific web application, don't we need attributes for the site's
server certificate? I also suggest that server certificate attributes
are added:
> * Suggest that the whole "subject" is used instead of only "common
name" for the root certificate.
Agree in the case of the root certificate.
> * Suggest to add: key-server-subject: The subject field of the server
certificate chained to by the site certificate. Empty bag if none.
Sorry I don't understand this comment... What is the difference between
the site certificate and the server certificate?
> * Suggest to add: key-server-fingerprint: The fingerprint of the root
certificate chained to by the site certificate. Empty bag if none.
Do you mean "server certificate"?

Let me know what you think.

Thanks, 

Laura

Received on Wednesday, 5 May 2010 13:29:46 UTC