- From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
- Date: Thu, 12 Feb 2009 12:49:26 +0100
- To: "Frederick Hirsch" <Frederick.Hirsch@nokia.com>, "ext Thomas Roessler" <tlr@w3.org>
- Cc: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>, "ext Marcos Caceres" <marcosscaceres@gmail.com>, "public-webapps" <public-webapps@w3.org>
Thomas Roessler wrote: >> Just for clarity, there are two possible requirements around OCSP and >> CRLs: >> >> - support embedding an OCSP response (or a CRL, or a link to a CRL) >> in the mark-up of signatures >> - support querying OCSP responders (and CRLs) as part of >certificate >> validation >> >> I'd argue that the latter is more important than the former. [mp] I agree latter is more important, but see below... Frederick Hirsch wrote: >we need explicit schema support (in Signature 1.1) for >explicit OCSP responses, for the latter a processing rule in >widgets signature may be enough. Perhaps this does not need to >be required must in the widgets spec, depends on requirements. > >Mark, I believe you mentioned you have additional thoughts on >these requirements. [mp] The requirements state that it must be possible to include revocation information in the signature, and when present that the specification should say how to process this information [3]. On re-reading this requirement, I wonder whether we didn't fold two requirements into one and not get it quite right... In any case, looking at the requirement afresh, as Thomas and Frederick suggest, the ability to include OCSP responses in signatures should be addressed in XML Signature Syntax and Processing Version 1.1 [4]. Our requirement should probably be changed to be the ability to process revocation information contained in the signature, and should probably be a SHOULD. In regards to the processing of revocation information, orignally I was pushing for Widgets 1.0: Digital Signatures [1] to include an OCSP and CRL profile to try and help ensure interoperability between OCSP/CRL clients and responders/servers across organisations. My suggestion for an OCSP profile would have been to reference (or take inspiration from) the OMA Online Certificate Status Protocol Mobile Profile [2], however, I'm no longer sure that this is a good idea. This profile is obviously aimed at mobile devices and therefore may create inter-operability issues for non-mobile implementations (and mobile implementations that don't follow OMA). So more generally, I would propose that OCSP and CRL processing should be removed from [1]. The reasoning being that it is likely that other standards bodies, companies and organisations will want to specify this behaviour in order to work with their existing infrastructure. I am more and more of the opinion that [1] should simply provide the format and processing rules that enables the use of interoperable signatures across widget user agents. How these signatures are used should be covered elsewhere. Thanks, Mark [1] http://dev.w3.org/2006/waf/widgets-digsig/ [2] http://www.openmobilealliance.org/Technical/release_program/docs/copyrig htclick.aspx?pck=OCSP&file=V1_0-20070403-A/OMA-WAP-OCSP_MP-V1_0-20070403 -A.pdf [3] http://dev.w3.org/2006/waf/widgets-reqs/#r49.-inclusion-of-revocation-in formation [4] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/ >-----Original Message----- >From: Frederick Hirsch [mailto:Frederick.Hirsch@nokia.com] >Sent: 04 February 2009 20:53 >To: ext Thomas Roessler >Cc: Frederick Hirsch; Barstow Art (Nokia-CIC/Boston); >Priestley, Mark, VF-Group; ext Marcos Caceres; public-webapps >Subject: Re: [widgets] Getting synch'ed up on Widgets Digital >Signatures > >we need explicit schema support (in Signature 1.1) for >explicit OCSP responses, for the latter a processing rule in >widgets signature may be enough. Perhaps this does not need to >be required must in the widgets spec, depends on requirements. > >Mark, I believe you mentioned you have additional thoughts on >these requirements. > >regards, Frederick > >Frederick Hirsch >Nokia > > > >On Feb 4, 2009, at 3:49 PM, ext Thomas Roessler wrote: > >> On 4 Feb 2009, at 21:45, Arthur Barstow wrote: >> >>> * Is supporting OCSP and CRL a MUST for v1? >> >> Just for clarity, there are two possible requirements around OCSP and >> CRLs: >> >> - support embedding an OCSP response (or a CRL, or a link to a CRL) >> in the mark-up of signatures >> - support querying OCSP responders (and CRLs) as part of >certificate >> validation >> >> I'd argue that the latter is more important than the former. >> >> -- >> Thomas Roessler, W3C <tlr@w3.org> >> > >
Received on Thursday, 12 February 2009 11:50:13 UTC