Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging & Configuration spec

Hi Frederick,

On Tue, Feb 24, 2009 at 11:19 PM, Frederick Hirsch
<> wrote:
> The Widget Signature spec is not an API definition so probably does not need
> to define how signature status information is returned.

You are right, so agreed.

> I also agree that it
> would be incorrect to define in the Widget Signature spec whether or not a
> widget is valid, that is out of scope.

Right again.

> The spec limits itself to signature
> validation.  However I would not want to be prescriptive in the
> specification to the level of status return codes.

Ok, makes sense.

> We may want to add a security considerations note along the lines of
> "As distributor signatures are not included in an overall widget signature,
> it is possible for signatures to be added or removed and hence a secure
> channel for widget delivery  might be preferable."

Ok, that is also an important security consideration. Should
definitely have that in the spec under security considerations or some
such section.

Marcos Caceres

Received on Tuesday, 24 February 2009 22:34:43 UTC