OMTP BONDI input to W3C - non-W3C RF committed contributions highlighted

Dear all,

 

As discussed in the meeting today, please find further details in the
OMTP BONDI submission of non-W3C member inputs - members of OMTP that
have contributed that have not signed the RF policy of W3C. This applies
to "BONDI Comments to W3C Web Applications WG Widget Requirements OMTP
Public Working Draft v1_0" [1]. Please note, there were no non-member
contributions to the OMTP BONDI submission to W3C[2]. 

 

The relevant text is shown highlighted in the attached pdf and also
shown as plain text below, marked with the excerpted text from the
document with guillemets << >>.

 

 

"RXX. Support for Multiple Message Digest Algorithms

 

A conforming specification SHALL specify that where the integrity of
data is protected using a message digest, it SHALL be possible to use
the SHA-1 message digest algorithm and <<SHALL>> be possible to use the
SHA-256 message digest algorithm."

 

...

 

"RXX. Key Lengths

A conforming spec SHALL specify that widget processing environments
SHALL support RSA with key lengths up to at least 2048 bits and SHALL
support DSA with key lengths up to at least 2048 bits (see NIST
Recommendation
<http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf>
). A conforming spec SHALL recommend that widget signing tools SHALL
support and use RSA with key lengths of at least 2048 bits and DSA with
key lengths of at least 2048 bits (see NIST Recommendation
<http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf>
).

 

Motivation:

Security <http://www.w3.org/TR/2008/WD-widgets-reqs-20080625/#security0>


Rationale:

To be in-line with current security recommendations and provide
longevity of the system security. <<In some use cases it may be
desirable to use key lengths of less than 2048 bits, e.g. where the
impact on performance outweighs the additional security afforded.>> "

...

 


"RXX. Key Usage Extension 


A conforming specification MUST specify the expected use of valid key
usage extensions and when present (in end entity certs) MUST specify
that implementations verify that the extension has the digitalSignature
bit set. 

 

A conforming specification MUST specify that implementations recognize
the extended key usage extension and when present (in end entity certs)
verify that the extension contains the id-kp-codeSigning object
identifier. <<A conforming specification MAY also define a new OID
specifically for widget signing, and specify that implementations verify
that the extended key usage extension in the end entity cert contains
this new OID.>>"

 

Thanks,

 

 

David.

 

[1] 
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0302.html

[2] 
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0308.html

Received on Wednesday, 27 August 2008 09:43:30 UTC