- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Wed, 3 Sep 2008 15:32:58 +0100
- To: "David Rogers" <david.rogers@omtp.org>
- Cc: public-webapps@w3.org, art.barstow@nokia.com, "Nick Allott" <nick.allott@omtp.org>
Hi David, On Wed, Aug 27, 2008 at 10:42 AM, David Rogers <david.rogers@omtp.org> wrote: > Dear all, > > > > As discussed in the meeting today, please find further details in the OMTP > BONDI submission of non-W3C member inputs – members of OMTP that have > contributed that have not signed the RF policy of W3C. This applies to > "BONDI Comments to W3C Web Applications WG Widget Requirements OMTP Public > Working Draft v1_0" [1]. Please note, there were no non-member contributions > to the OMTP BONDI submission to W3C[2]. > > > > The relevant text is shown highlighted in the attached pdf and also shown as > plain text below, marked with the excerpted text from the document with > guillemets << >>. > > > > > > "RXX. Support for Multiple Message Digest Algorithms > > > > A conforming specification SHALL specify that where the integrity of data is > protected using a message digest, it SHALL be possible to use the SHA-1 > message digest algorithm and <<SHALL>> be possible to use the SHA-256 > message digest algorithm." > Shall is a MUST in our document. The WG discussed adding sha-256 long before BONDI joined the group (can't be bothered finding the teleconf minutes). I'm no lawyer, but I don't think there is any IPR here:) > "RXX. Key Lengths > > A conforming spec SHALL specify that widget processing environments SHALL > support RSA with key lengths up to at least 2048 bits and SHALL support DSA > with key lengths up to at least 2048 bits (see NIST Recommendation). A > conforming spec SHALL recommend that widget signing tools SHALL support and > use RSA with key lengths of at least 2048 bits and DSA with key lengths of > at least 2048 bits (see NIST Recommendation). > > > > Motivation: > > Security > > Rationale: > > To be in-line with current security recommendations and provide longevity of > the system security. <<In some use cases it may be desirable to use key > lengths of less than 2048 bits, e.g. where the impact on performance > outweighs the additional security afforded.>> " I've removed the text. It's kinda contradictory to say that a widget engine must support 2048 bit and then recommend that people don't use it for performance reasons (though I can understand why one would say that). We should add something similar to either the dig sig spec or to the a Widgets Primer at some point. > ... > > > > "RXX. Key Usage Extension > > A conforming specification MUST specify the expected use of valid key usage > extensions and when present (in end entity certs) MUST specify that > implementations verify that the extension has the digitalSignature bit set. > > > > A conforming specification MUST specify that implementations recognize the > extended key usage extension and when present (in end entity certs) verify > that the extension contains the id-kp-codeSigning object identifier. <<A > conforming specification MAY also define a new OID specifically for widget > signing, and specify that implementations verify that the extended key usage > extension in the end entity cert contains this new OID.>>" Although we were already in the process of doing this this anyway, I think the OID part of the requirement is overly prescriptive so I've removed it. -- Marcos Caceres http://datadriven.com.au
Received on Wednesday, 3 September 2008 14:33:36 UTC