Re: [widgets] dig sig and requirements ready for pub! from Marcos Caceres on 2009-05-04 (public-webapps@w3.org from April to June 2009)

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 4 May 2009 18:42:53 +0200
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Cc: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>, ext Kai Hendry <hendry@aplix.co.jp>, Thomas Roessler <tlr@w3.org>, public-webapps <public-webapps@w3.org>
Message-ID: <b21a10670905040942pc3e5d92n35ce8a00edb88e3f@mail.gmail.com>

On Mon, May 4, 2009 at 4:13 PM, Frederick Hirsch
<Frederick.Hirsch@nokia.com> wrote:
> The Identifier property is useful for audit and management in the backend.
>  I believe this should remain in the specification and should remain a
> normative section, agreeing with Thomas note in the chat. It was added based
> on requirements from WG members.
>

I understand the use case, but i still don't understand why we are
mandating the use of the dsp:Identifier if it's not going to be used
by the UA? If a signer wants to use dsp:Identifier for whatever
reason, then are free to do so by using the Signature Properties spec.
Putting something in the spec that does not do anything doesn't make
sense to me.

> Thomas mentioned in the chat the means to obtain unique values, e.g. large
> random number, serial number + DNS  etc, but I think this can be out of
> scope of the spec.
>
> Currently the specification states
> Each widget signature MUST contain a dsp:Identifier signature properties
> element compliant with XML Signature Properties [XMLDSIG-Properties] and
> this specification.
>
> We can add, "A signer MUST place the dsp:Identifier signature property into
> the signature when generating the signature." if necessary.
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On May 4, 2009, at 9:38 AM, Barstow Art (Nokia-CIC/Boston) wrote:
>
>> Kai - this is a good question.
>>
>> Frederick - we (MC, TLR and I) talked about this in IRC today. Please
>> take a look and let us know your thoughts:
>>
>>  <http://krijnhoetmer.nl/irc-logs/webapps/20090504>
>>
>> -Regards, Art Barstow
>>
>>
>> On May 1, 2009, at 6:49 AM, ext Kai Hendry wrote:
>>
>>> http://dev.w3.org/2006/waf/widgets-digsig/#identifier-signature-
>>> property
>>>
>>> I'm not sure what "signature management" is exactly, though can
>>> someone please inform me what a UA is supposed to do with
>>> dsp:Identifier?
>>>
>>>
>>> I'm also keen on seeing a simple self sign sign/verify example using
>>> http://www.aleksey.com/xmlsec/ or some other opensource tool.
>>>
>>>
>>> Kind regards,
>>>
>>
>
>
>



-- 
Marcos Caceres
http://datadriven.com.au

Received on Monday, 4 May 2009 16:43:59 UTC