Re: Comments on Widgets 1.0 Security requirements from Marcos Caceres on 2009-01-19 (public-webapps@w3.org from January to March 2009)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Mon, 19 Jan 2009 12:21:13 +0000
To: Arthur Barstow <art.barstow@nokia.com>, Mark Priestley <Mark.Priestley@vodafone.com>, Frederick Hirsch <frederick.hirsch@nokia.com>, public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
Message-ID: <C59A20B9.3D51%marcosscaceres@gmail.com>

Hi Artb, 

On 1/13/09 7:46 PM, "Arthur Barstow" <art.barstow@nokia.com> wrote:

> 
> I agree with Frederick that R44 as codified in the most recent ED (11
> Dec 2008) isn't clear,  particularly trying to foresee what exactly
> would be specified in the Widgets DigSig spec and assuring we don't
> prescribe deployments:
> 
> [[
> R44. Signature Document Independence
> <http://dev.w3.org/2006/waf/widgets-reqs/#r44.->
> 
> A conforming specification MUST recommend a digital signature format
> that allows for the signature value(s) and associated certificate
> chain(s) (if any) associated to the widget resource to be used
> independently of the widget resource. A conforming specification
> SHOULD provide guidelines for how any digital signature can be used
> separately from a widget resource.
> ]]
> 
> Based on the following "clarifications" and Mark's reply above:
> 
> [[
> <http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/
> 0036.html>
> 
> 1. It MUST be possible to extract a _copy_ of the digital signature
> document(s) from the widget package.
> 
> 2. It SHOULD (MUST?) be possible for the widget user agent to complete
> the signature validation processing for a digital signature document
> that is provided independently of a widget package (noting that the
> signature is not validated until the reference validation processing has
> also been successfully completed)
> ]]
> 
> It seems like #1 is a no-brainer in that every file in the package
> must be extractable and if that requirement needs to be explicit, it
> doesn't need to be stated as such in the context of "Signature
> Document Independence".
> 
> I view #2 as an implementation optimization that should be out-of-
> band for the spec. I can't imagine we would write a spec that would
> preclude a UA from doing what it is described above.
> 
> Given all of this, I'm not convinced this requirement is needed.

I agree with Art, this requirement is a no brainer. Nevertheless, I'm as it
does not real harm, I'm inclined to leave it the document.

I've renamed it and rewritten it as:

[R44. Signature Document Format


A conforming specification MUST recommend a digital signature format that
can be extracted and used independently of the widget resource. A conforming
specification SHOULD provide guidelines for how any digital signature can be
used separately from a widget resource.]

Kind regards,
Marcos

Received on Monday, 19 January 2009 20:50:19 UTC