Re: OMTP BONDI input to W3C - non-W3C RF committed contributions highlighted

Hi David,

On Wed, Aug 27, 2008 at 10:42 AM, David Rogers <david.rogers@omtp.org> wrote:
> Dear all,
>
>
>
> As discussed in the meeting today, please find further details in the OMTP
> BONDI submission of non-W3C member inputs – members of OMTP that have
> contributed that have not signed the RF policy of W3C. This applies to
> "BONDI Comments to W3C Web Applications WG Widget Requirements OMTP Public
> Working Draft v1_0" [1]. Please note, there were no non-member contributions
> to the OMTP BONDI submission to W3C[2].
>
>
>
> The relevant text is shown highlighted in the attached pdf and also shown as
> plain text below, marked with the excerpted text from the document with
> guillemets << >>.
>
>
>
>
>
> "RXX. Support for Multiple Message Digest Algorithms
>
>
>
> A conforming specification SHALL specify that where the integrity of data is
> protected using a message digest, it SHALL be possible to use the SHA-1
> message digest algorithm and <<SHALL>> be possible to use the SHA-256
> message digest algorithm."
>

Shall is a MUST in our document. The WG discussed adding sha-256 long
before BONDI joined the group (can't be bothered finding the teleconf
minutes). I'm no lawyer, but I don't think there is any IPR here:)

> "RXX. Key Lengths
>
> A conforming spec SHALL specify that widget processing environments SHALL
> support RSA with key lengths up to at least 2048 bits and SHALL support DSA
> with key lengths up to at least 2048 bits (see NIST Recommendation). A
> conforming spec SHALL recommend that widget signing tools SHALL support and
> use RSA with key lengths of at least 2048 bits and DSA with key lengths of
> at least 2048 bits (see NIST Recommendation).
>
>
>
> Motivation:
>
> Security
>
> Rationale:
>
> To be in-line with current security recommendations and provide longevity of
> the system security. <<In some use cases it may be desirable to use key
> lengths of less than 2048 bits, e.g. where the impact on performance
> outweighs the additional security afforded.>> "

I've removed the text. It's kinda contradictory to say that a widget
engine must support 2048 bit and then recommend that people don't use
it for performance reasons (though I can understand why one would say
that). We should add something similar to either the dig sig spec or
to the a Widgets Primer at some point.

> ...
>
>
>
> "RXX. Key Usage Extension
>
> A conforming specification MUST specify the expected use of valid key usage
> extensions and when present (in end entity certs) MUST specify that
> implementations verify that the extension has the digitalSignature bit set.
>
>
>
> A conforming specification MUST specify that implementations recognize the
> extended key usage extension and when present (in end entity certs) verify
> that the extension contains the id-kp-codeSigning object identifier. <<A
> conforming specification MAY also define a new OID specifically for widget
> signing, and specify that implementations verify that the extended key usage
> extension in the end entity cert contains this new OID.>>"

Although we were already in the process of doing this this anyway, I
think the OID part of the requirement is overly prescriptive so I've
removed it.

-- 
Marcos Caceres
http://datadriven.com.au

Received on Wednesday, 3 September 2008 14:33:36 UTC