- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Mon, 19 Jan 2009 12:21:13 +0000
- To: Arthur Barstow <art.barstow@nokia.com>, Mark Priestley <Mark.Priestley@vodafone.com>, Frederick Hirsch <frederick.hirsch@nokia.com>, public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
Hi Artb, On 1/13/09 7:46 PM, "Arthur Barstow" <art.barstow@nokia.com> wrote: > > I agree with Frederick that R44 as codified in the most recent ED (11 > Dec 2008) isn't clear, particularly trying to foresee what exactly > would be specified in the Widgets DigSig spec and assuring we don't > prescribe deployments: > > [[ > R44. Signature Document Independence > <http://dev.w3.org/2006/waf/widgets-reqs/#r44.-> > > A conforming specification MUST recommend a digital signature format > that allows for the signature value(s) and associated certificate > chain(s) (if any) associated to the widget resource to be used > independently of the widget resource. A conforming specification > SHOULD provide guidelines for how any digital signature can be used > separately from a widget resource. > ]] > > Based on the following "clarifications" and Mark's reply above: > > [[ > <http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/ > 0036.html> > > 1. It MUST be possible to extract a _copy_ of the digital signature > document(s) from the widget package. > > 2. It SHOULD (MUST?) be possible for the widget user agent to complete > the signature validation processing for a digital signature document > that is provided independently of a widget package (noting that the > signature is not validated until the reference validation processing has > also been successfully completed) > ]] > > It seems like #1 is a no-brainer in that every file in the package > must be extractable and if that requirement needs to be explicit, it > doesn't need to be stated as such in the context of "Signature > Document Independence". > > I view #2 as an implementation optimization that should be out-of- > band for the spec. I can't imagine we would write a spec that would > preclude a UA from doing what it is described above. > > Given all of this, I'm not convinced this requirement is needed. I agree with Art, this requirement is a no brainer. Nevertheless, I'm as it does not real harm, I'm inclined to leave it the document. I've renamed it and rewritten it as: [R44. Signature Document Format A conforming specification MUST recommend a digital signature format that can be extracted and used independently of the widget resource. A conforming specification SHOULD provide guidelines for how any digital signature can be used separately from a widget resource.] Kind regards, Marcos
Received on Monday, 19 January 2009 20:50:19 UTC