- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Thu, 26 Feb 2009 11:20:23 -0500
- To: public-webapps <public-webapps@w3.org>
The minutes from the February 25 Widgets f2f meeting are available at
the following and copied below:
<http://www.w3.org/2009/02/25-wam-minutes.html>
WG Members - if you have any comments, corrections, etc., please send
them to the public-webapps mail list before 5 March 2009 (the next
Widgets voice conference); otherwise these minutes will be considered
Approved.
-Regards, Art Barstow
[1]W3C
[1] http://www.w3.org/
- DRAFT -
Widgets F2F Meeting
25 Feb 2009
[2]Agenda
[2] http://www.w3.org/2008/webapps/wiki/WidgetsParisAgenda
See also: [3]IRC log
[3] http://www.w3.org/2009/02/25-wam-irc
Attendees
Present
Art, Andy, Claudio, Ivan, Fabrice, Rainer, Mark, David, Arve,
Benoit, Marcos, Mike(IRC), Josh(IRC), Billy, Mohammed, Josh
Regrets
Chair
Art
Scribe
Art
Contents
* [4]Topics
1. [5]<content> tags?
2. [6]Focus & widgets management; by Marcin
3. [7]Window Modes
4. [8]Proposal for a "Settings" View Mode; Benoit
5. [9]<access> Element
6. [10]BONDI Update by David Rogers
7. [11]New Work related to the Device API and Security
Workshop
8. [12]Widgets Digital Signatures
9. [13]Media type declarations; MIME; etc.
10. [14]# <feature> default; raised by Kai Hendry
11. [15]<icon> element ISSUE: what if it's a vector and no size
is given?
12. [16]<preference> element proposal; by Art Barstow
* [17]Summary of Action Items
_________________________________________________________
<ArtB> ScribeNick: ArtB
<scribe> Scribe: Art
Date: 25 Feb 2009
<content> tags?
AB: what is the status Ivan?
Ivan: I considere that closed in that the modes can be used to
address my use cases
Focus & widgets management; by Marcin
AB: not clear if this info was more FYI or formal comments for the
LCWD
Arve: I think this is more informational i.e. this is how Access
addresess window modes
MC: right; the QVGA proposal for example isn't something we want to
do
Arve: the methods in his email are mostly covered in our A&E spec
AB: do we need to follow-up?
Arve: there are no questions there
... if he feels strongly about his model being reflected in our
model, he should make specific proposals for the Editor
AB: I think that is a reasonable proposal
<scribe> ACTION: Marcos respond to Marcin and ask him to make
specific proposals if he has any [recorded in
[18]http://www.w3.org/2009/02/25-wam-minutes.html#action01]
<trackbot> Created ACTION-302 - Respond to Marcin and ask him to
make specific proposals if he has any [on Marcos Caceres - due
2009-03-04].
Window Modes
MP: want to discuss what goes into the P&C based on our consensus
from yesterday
AB: yesterday's minutes are:
[19]http://www.w3.org/2009/02/24-wam-minutes.html
[19] http://www.w3.org/2009/02/24-wam-minutes.html
Arve: not sure we will know until the new specs are available to
review
MP: re width and height property; in some cases you may want to use
a different values depending on the mode
... what goes in the modes spec?
MC: just the definitions of the 4 modes
[ Arve sketches a "live" proposal of the syntax ... ]
[ Marcos to drop in IRC this proposal ... ]
<Marcos> <viewport
<Marcos> mode = "one of the modes"
<Marcos> width = "csspx"
<Marcos> height = "csspx"
<Marcos> min-height = "csspx"
<Marcos> min-width = "csspx"
<Marcos> max-height = "csspx"
<Marcos> max-width = "csspx"
<Marcos> resize = "true|false"
<Marcos> ...
<Marcos> />
MP: the definitions of the modes spec will then define what these
mean?
Arve: yes, that's the idea
BS: how does one define a widget that works for both mobile and
desktop?
Arve: would define two veiwports
MP: but some modes don't use height and width
Arve: then for some modes they wouldn't be needed
AB: or ignored if present
BS: what about orientation of the device?
Arve: that's handled by CSS
... if a widget doesn't fit in a viewport e.g. on a mobile, the UA
could provide zoom
<timeless> so, a WUA is required to provide zoom?
<arve> timeless: no
Arve: we go with CSS pixels in the spec
... with the expectation that eventually UAs will likely do some
zooming
AB: Mark, are you asking for some details about what goes in the P&C
spec and the other two new specs proposed?
MP: I understand what goes into the two new proposed specs but not
clear about what goes in P&C
<scribe> ACTION: Marcos report back to the WG ASAP regarding your
ability to be the Editor of the two new specs proposed and discussed
on Feb 24 [recorded in
[20]http://www.w3.org/2009/02/25-wam-minutes.html#action02]
<trackbot> Created ACTION-303 - Report back to the WG ASAP regarding
your ability to be the Editor of the two new specs proposed and
discussed on Feb 24 [on Marcos Caceres - due 2009-03-04].
MC: I wonder if some of the attributes proposed above can be handled
by CSS
Arve: what if an imple doesn't support CSS
AB: I think we've hit the point of dimminishing returns on this
MC: give us a week and we'll put forward a proposal
Proposal for a "Settings" View Mode; Benoit
<Marcos>
[21]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/02
48.html
[21] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0248.html
BS: in my email I enumerate various modes we need
... Settings is one mode we need but we haven't discussed
... think the developer would want a consistent and convenient way
to define/modify settings
MC: I'm warming to this idea a little
... e.g. could right-click and get to this info
Arve: I disagree vehemently
... this is ultimately about being able to display some specified
content in a specific way
... your solution implies pointing at a completely diff document or
firing some event or allowing the WUA to genearte a UA based on a
scheme with some prefs
BS: If I build a widget want a config view for it
Arve: how is that diff than any other state?
... how is settings different than refresh, for example
[ MC demos Dashboard and the "I" key used to get to the widget's
settings ... ]
MC: can imagine using some of the new CSS3 Modules e.g. Transforms
(2d, 3d), Transitions, etc.
DR: something like Fring service isn't useful until it is configured
Arve; well that's a broken service
DR: my point is there is a use case for using a widget's settings
without first instantiating the widget
Arve: this seems more about a widget being able to handle online or
offline
AB: I'm not seeing a lot of support for this
... One way fwd - after the two new specs are out and P&C spec
updated to reflect the new specs, then Benoit can submit a proposal
if his use case can't be addressed
BS: yes, that's OK with me
... I did want to discuss this mode and we've done that
AB: any other topics related to Window Modes?
[ None ]
<access> Element
AB: what's the best place to start?
MP: we should start with MC's latest e-mail
AB: here is MP's 2nd proposal:
[22]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/05
05.html
... MC then responded on Feb 22 with:
[23]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/05
17.html
[22] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0505.html
[23] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0517.html
MP: the semantics of the network attribute is not clear
... want author to be able to enumerate the white-listed hosts
... However, there are some use cases where that list will not be
know in advance e.g. a RSS reader
... We need an "escape" mechanism for these use cases
[ We review strawman proposal by Arve ... ]
<arve> element security optional
<arve> element access multiple
<arve> element "protocol" multiple
<arve> cdata
<arve> element "host" multiple
<arve> cdata
<arve> element "port" multiple
<arve> cdata
<arve> element "path" multiple
<arve> cdata
<arve> element "content"
<arve> attribute "plugin" value = "yes|no"
Arve: the idea is a widget would be restricted to those access
methods that are explicit in the config file
MP: BONDI has done some related work but using a URI with pattern
matching
... VF would like to move that functionality from BONDI spec to W3C
spec
<anne> arve, btw, why not just have <origin>
<Marcos> what do you mean by it?
<anne> arve, every other spec on the planet is moving towards that,
since you have the host,port,scheme tuple you might as well tag
along
<Marcos> anne
<arve> anne: mind joining the call and explaining it?
<anne> (it's just syntax so I don't think worth it)
<Marcos> <widget> <origin uri="[24]http://microsoft.com"> ?
[24] http://microsoft.com/
<anne> that's worth it*
<anne> <security> <origin>[25]http://example.org:81/</origin> rather
than putting scheme, host and port into separate elements
[25] http://example.org:81/%3C/origin%3E
<timeless> the strawman looks like it's likely to fail
<arve> anne: got URI schemes for ssh, telnet, xmpp, raw sockets,
udp?
Arve: with widgets, there isn't really an origin
<timeless> arve: there is a bad one for ssh and telnet
MC: that's one reason we need a different URI scheme for widgets
<Marcos> anne, can I take over microsoft?
<Marcos> see my example above?
<arve> protocol: https ; host: google.com, yahoo.com, ask.com; path:
search/
MC: need to also specify subdomains
<Marcos> MC: FWIW, this is like an inverse of CORS
MP: having multiple hosts associated with a single scheme and path
is problematic
<arve> Reverse the two strings given for the request host and the
host specified for the directive (directive host). Do a
case-insensitive character by character comparison of the strings.
If a mismatch is found before the end of the directive host string
is reached, and the last two characters in the directive host string
are not the character sequence '.*', consider the request host to
not be a match. If there are characters left to parse in the request
host, and the last
<arve> characters of the directive host were the wildcard sequence
'.*' consider the host a match.
Arve: I'm not totally opposed to a URI scheme
MC: what proposal is that?
Arve: the one from Anne above
... with a few modification
<arve> element uri multiple
<Marcos> Anne, do you still have any funky syntax in CORS for
selecting subdomains (i.e., *.example.com) ?
<arve> . attribute src
[ Arve begins a new strawman proposal ... ]
<arve> <network><access><uri
src="[26]http://www.google.com/"/></access></network>
[26] http://www.google.com/
Arve: need wildcards on path and subdomains
<anne> Marcos, no, just origins
<arve> *.google.com
<arve> google.com
<Marcos> so, nothing like what arve has above
<Marcos> right anne
<Marcos> you gave up on that
<anne> is there a document that outlines what this security proposal
is proposed to solve?
MP: BONDI allows wildcards in subdomains and paths
<Marcos> Anne, it's for cross domain request.
<Marcos> as perfomed when no origin is available
<arve> <path>/cats</path>
<arve> thus, the widget can access all of
<arve> /cats/siamese.html
<arve> /cats/
<arve> /catsoup
<anne> Marcos, does it affect e.g. <iframe>?
<Marcos> (HTML5 "origin" of a widget will be a widget specific URI
(e.g., widget://bla;1231-123
<anne> Marcos, because in that case <path> restrictions are
pointless
<anne> Marcos, why is there even restrictions on cross domain
requests and not just a http(s) boolean?
<Marcos> we are proposing <domain uri="*"/> meaning allow all
domains (and supported URI schemes) and <domain uri="uri"/>
MP: how would this deal with subdomain?
MC: they would have to be added
<Marcos> Anne, because we think that authors should declare which
domains they need to access
<Marcos> and we don't want to restrict this to http
<anne> Marcos, but why do you think authors need to do that?
<anne> Marcos, also, what APIs do you have that go beyond HTTP(S)?
AB: let's try to regroup and determine where we have agreement and
document those issues with no agreement
<Marcos> Anne, Q1. they probably don't. Q2. none :)
MP: subdomains is still open
... it would be good if we could synch with BONDI and their deadline
is March 9
... want to get alignment if at all possible
MC: so what exactly is the usage?
... how does it interact with sec policy?
Arve: don't want widgets to be a vessel for attacking remote web
sites
<Marcos> Anne... please see minutes now re q1
<anne> Marcos, great solution to a non-problem then, lol
Arve: thus may want to restrict some sites
MP: want author to practice least privs principle
... want other parties e.g. user, widget distributor, etc. to be
able to examine the host list
... I can then look at widget before I sign it
<Marcos> Anne, so that's Q1 above
<Marcos> so there is use cases
Arve: want to limit a set of subdomain possibly
<arve> ssh://foo.net/
MC: the very first version of the spec had something like this
AB: so where are we?
MC: I think we should use URIs
... learn from CORS experience
MP: we could limit the schemes for v1
MC: we can leave it to the WUA to handle what ever schemes it can
<arve> Use-case restrictions URI lead to:
<arve> what if I want unrestricted access to http, but restricted
access for xmpp
AB: I think we're going to continue to go around in circles if we
don't have some agreed requirements
MP: how long will it take to get agreement?
MC: depends on how fancy pants we want to get
AB: sounds like there is an action for MC and Arve to submit a
concrete proposal
Arve: we did send a proposal once
... but it needs some updating
[ Arve searches the mail list archive for his previous proposal ...
]
<arve>
[27]http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/03
32.html
[27] http://lists.w3.org/Archives/Public/public-webapps/
2008JulSep/0332.html
RH: also can have a web server on a SIM card
<scribe> ACTION: Marcos will make a hybrid proposal and send it the
mail list [recorded in
[28]http://www.w3.org/2009/02/25-wam-minutes.html#action03]
<trackbot> Created ACTION-304 - Will make a hybrid proposal and send
it the mail list [on Marcos Caceres - due 2009-03-04].
MC: do we need the access element?
Arve: prefer encapsulating it in a network element
<timeless> so, i think the tupppling in arve's proposal is likely to
result in messes
<timeless> but other than that, i'm not sure what to say
<timeless> and i think someone already raised the issue of tuppling
messes in the context of allow access to all https but limited http
[ Marcos adds Note to the Reader to P&C spec about <access> being a
WIP ; checks-in new version ]
BONDI Update by David Rogers
DR: first the so-called Turin Rules
<scribe> ScribeNick: Marcos
David: all contributions will be under RF, if not, they are not
submitted to the w3c.
... contributions that cannot be traced to an author or origin, will
not be submitted (it must be possible to trace it back to being RF)
... we have made sure that members are clear on RF requirements.
... OMTP members must make it clear where there are IPR claims....
David describes the "OMTP - BONDI IPR PRINCIPLES"
David: if you have any legal questions, please contact the w3c legal
team
... update on Bondi
<ArtB> ScribeNick: ArtB
DR: OMTP release 1.0 RefImpl
... based on Windows Mobile
... by RI in this context we mean an example of the implementation
of our specs
... The RI is helping to drive the specs
... using an interative model
... We have "code fests"
AB: who has contributed code?
DR: Aplix, BONDI staff
... some operators have also contributed
MC: the author is embedded in every source file
AB: what is the licensing?
... and does every file have an identical license?
DR: I'll come back to the licensing
... Opera joined OMTP
... and LiMo Foundation has endorsed BONDI specs
AB: what does that really mean in terms of devices shipping BONDI
implementations?
MP: LiMo devices that implement web runtimes should implement BONDI
specs
AB: is there an expectation LiMo will take the RI code?
MC: no; its a Windows implementation
<arve> [29]http://www.opera.com/press/releases/2009/02/16/
[29] http://www.opera.com/press/releases/2009/02/16/
Arve: Opera has been a member of LiMo since Feb 16
MP: there is some overlap of members between LiMo and OMTP
DR: at MWC some operators clearly endorsed BONDI e.g. AT&T
MC: what is the exact relationship between W3C widget specs and
BONDI widget specs
DR: we think W3C is the right place to create widget specs
MC: are BONDI specs Royalty-Free?
MP: I don't know
DR: let me come back to the licensing question
AB: still not clear to me about the relationship between W3C widget
specs and BONDI widget specs
MP: one thing we are focusing on is policy
MC: I've heard BONDI has resolved all of the open issues W3C has in
its specs
... I've also heard you have good uptake
Arve: my concern is regarding device APIs and security models
MP: BONDI has defined a set of device APIs
... we use <feature> from P&C to hook into those APIs
DR: later today I will post to public-webapps pointers to our
Candidate specs
AB: which version of the P&C spec has been implemented in the RI?
MP: not sure
AB: did BONDI create a Widgets P&C spec?
DR: no
AB: did BONDI create a Widgets DigSig spec?
DR: no
... we reference P&C and DigSig now; but do not currently reference
A&E
AB: you have created some deltas of the P&C spec right?
MP: yes. For example we added a new element because P&C's <access>
does not meet our requirements
DR: I think a delta doc makes sense
Arve: on March 9 BONDI will ship 1.0, right?
DR: yes
Arve: doesn't that tie W3C's hand?
DR: no. We want to get the specs synched.
AB: what happens starting on March 10? Will BONDI members start
shipping implementations of the RI?
MP: on March 10, VF will begin asking vendors to implement the BONDI
specs
MC: but this is going to lead to fragmentation
... these implemenations will not be the same as implemenations
based on the eventual Recommendation of W3C's widgets specs
MP: OMTP is only interested in mobile use cases
... thus we don't necessarily care about additional use cases that
go beyond mobile
MC: so it appears then that to meet your requirements it will lead
to more fragmentation
DR: we've done a lot of work related to security
CV: we are participating in both orgs
... the W3C's mobile web initiative hasn't really been that
successful
... and some players in the market are taking advantage of this
... Want the W3C to create the infrastructure
MC: I don't understand why the W3C should continue its work
MP: I dont' think there is any desire to create overlapping specs
... BONDI can't wait forever for W3C to complete their work
AB: ultimately it is a business decision regarding whether one
should ship an implementation of the W3C's widgets specs + BONDI
specs as of March 10
... people understand the risks
Arve: I think it is short-sighted to only look at this from the
mobile perspective
DR: OMTP intends to continue active participation in W3C
... we want to put our device APIs into the W3C
AB: is it then the case that on March 10, you expect BONDI to start
implementing your device APIs and to start shipping such
implemenations?
DR: not sure March 10 is the right date but yes, that is my
expectation
Arve: I would like to see OMTP/BONDI commit resources for Editing
API specs like File I/O
... requirements first of course; but follow up with spec
contributions too
... It sounds like this is going to lead some fragmentation in the
mobile space
MC: so now that we've continued discussion I'm seeing more of an
"embrace and extend" model
DR: re licensing - Apache 2.0
... that is for the BONDI RI
New Work related to the Device API and Security Workshop
AB: WS report [30]http://www.w3.org/2008/security-ws/report
... the report identifies 6 potential work areas and assigns
priorities to each
... what is BONDI's position re work split for the 4 High priority
items?
... which of the 6 items are in scope for BONDI?
[30] http://www.w3.org/2008/security-ws/report
MP: depends on what you mean by in scope
AB: which areas are actively in spec work?
DR: Concrete APIs
... Policy Description
... Policy Management is of interest
AB: what do you expect to push into the W3C?
MP: that not a useful question because we don't use that list
DR: we expect to submit some APIs
... and of course policy description
AB: and what is your pref for where that work is done?
DR: Web Apps WG
AB: as Chair, I think it will be hard to add so much new work to
WebApps
DR: Thomas would like to form a new WG re the policy work items
<tlr> "would like" sounds exaggerated. It looks like a likely path
forward.
<tlr> no interest in forcing things on you folks... ;)
AB: when will BONDI be ready to submit the Device API specs to the
W3C?
DR: I'm not sure but will find out
AB: perhaps you should send an email to
[31]http://lists.w3.org/Archives/Public/public-device-apis/ and
state BONDIs interest, plans, roadmap, etc
[31] http://lists.w3.org/Archives/Public/public-device-apis/
<tlr> +1 to sending that e-mail
<drogersuk> The other two points that I wanted to mention before the
BONDI discussion is closed are: 1) we'd like to be able to offer the
reference implementation as an implementation of the W3C spec at
some point
<drogersuk> 2) We'll be doing some work on testing and compliance -
the BONDI work here will be a superset of everything but could be
reused P&C and other specs
Widgets Digital Signatures
<fjh> latest editorial draft
<fjh> [32]http://dev.w3.org/2006/waf/widgets-digsig/
[32] http://dev.w3.org/2006/waf/widgets-digsig/
<fjh> review
<fjh>
[33]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/05
48.html
[33] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0548.html
<fjh>
[34]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/05
47.html
[34] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0547.html
<tlr> yes
AB: agenda
[35]http://www.w3.org/2008/webapps/wiki/WidgetsParisAgenda#Digital_S
ignature_spec
[35] http://www.w3.org/2008/webapps/wiki/
WidgetsParisAgenda#Digital_Signature_spec
<fjh> updated editors draft
[36]http://dev.w3.org/2006/waf/widgets-digsig/
[36] http://dev.w3.org/2006/waf/widgets-digsig/
FH: I suggest I walk thru my recent changes
AB: good
FH: some restructuring
... added namesaces
... added some definitions
... big change is Author and Distributor signatures
... updates should not be treated differently in this spec
... still need to work on algorithms
... XML Sig v1.1 should go to FPWD this week
... some work on the proc model
<mpriestl> I have a few small comments but overall I think this is
an excellent update of the document - many thanks Frederick!
FH: recommend we go thru TLR's comments first
AB: let's do that
<tlr>
[37]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/05
47.html
[37] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0547.html
TR: I'll skip editorial comments
<scribe> ScribeNick: drogersuk
I would like to consider separate filname conventions
for distributor and authors
<fjh> Widget Signature Name:
<fjh> The reserved file name "author-signature.xml"
<fjh> "signature" [0-9]* ".xml"
<discussion on filename conventions>
FJH clarified a point that TLR raised - it was already included in
the spec
MC Thomas you have addressed my concerns, could you summarise why it
is bad to have <role> attribute for signature in signature.xml?
<fjh> single signature per file, should state that explicitly
TLR There is a basic design decision that there is a single
signature per file
TLR You don't want to look at two signatures at the same time
MC We don't want to use filenames as an extensibility mechanism, but
I can live with this
<fjh> right now we use file name convention instead of a manifest
<tlr> fjh, +1, that's precisely the problem
MC you are optimising prematurely
<fjh> of course a manifest could be signed, addressing the signature
insertion and deletion risk as well
MP There are cases where you may want to be able to find the author
signature without processing everything
MC I accept the proposed solution
TLR I do not like using the filename in this way. We have different
classes of resources inside the widget package
scribe: same problem as content type discovery
... clearly our solution is not best, a manifest is the best way
<tlr> ... and I'm happy to defer this part of the discussion to a
later time
MC I proposed a manifest solution a couple of days ago
scribe: it would be optional
... assigned around the content types
... per file declaration of what the content type is a maybe the
role
MP can the manifest discussion go on the mailing list?
<tlr> +1 to Mark
MP I'm happy to review that, we're in no way stuck on using
filenames, if there is a valid reason for manifest, let's discuss it
asap
TLR in the processing model, we say the distributor signature must
countersign the author signature. We validate that
<ArtB> [ discussing TLR's comment "The processing model in 6.2 does
not currently enforce the MUST NOT on distributor signatures
countersigning each other. I'm having a hunch that that might get
abused by malevolent distributors in order to interfere with each
other; I therefore suggest that distributorr signatures that
countersign each other are a reason for validation failure." ]
we do not validate a distiributor signing another distributor
scribe: I propose that this is invalid to break this case
MP: I agree
MC +1
<fjh> +1
DR: +1
AB: We have consensus here on that point
TLR: editorial on ID-based reference
MP: agreed
FJH: I'll update the draft. I could use some help from Thomas
TLR: I'd be happy to review, but won't commit on sending a proposal
<ArtB> [ TLR's comment "In 4.4, we currently perform a dance around
X.509 version numbers. Thinking this through more thoroughly, it
worries me that this came up, for the following reason: You need an
X.509 v3 extension to express the basic constraints on a
certificate. Without the basic constraints extension, it is
impossible to distinguish a CA certificate from an end entity
certificate. Which in turn suggests that somebody might have
inadvertently generated
AB: The group here are happy for you to update the draft
TLR: I propose certificates must be v3 to sign widgets
MP: I need to check internally - but provisionally this looks ok
MC: I'll do the same internally at Opera
FJH: It seems to be right for me
<tlr> RFC 5280 sets a default for v3 certificates that do not have
the extension, and that's important.
MC: It is messy supporting the three different standards
TLR: It is important to reference RFC-5280
AB: If we don't get any concerns in the next two weeks then we'll
accetp v3
FJH: Let's update to v3 now, then we can revert if issues
AB: We have agreement on that
<ArtB> [ TLR's comment "The current draft has a relatively complex
set of interacting signatures, but does not timestamp these at all.
I'd *really* like us to mandate a timestamp property on each of the
signatures, and demand during validation that the timestamp MUST be
in the past. To give just one example, assume a distributor's
signing process is found to be broken, but it's not practical to
exchange the signature key. Being able to weed out all signatures ma
TLR outlined the point
MP: Vodafone will most likely object to the validation failing if
the timestamp is in the future
... correction in the past
... People don't set their date and time in the phone
... This is a problem currently with java
... Unless we demand that we have network time or accurate time on
devices we will not be able to live with this
... Defining it in our specification is dangerous for that reason
... What type of timestamp? By the signer?
TLR: Yes
MP: The timestamp is a statement of when the author 'says' they
signed it
... Author's will set timestamps to make sure they get installed
correction: authors
MP: Do you see a use case for an expires and a timestamp?
TLR: I agree about the phones point
... This is a good argument against the MUST
... Having expiration is useful as well
... The two cover separate parts of the problem
<fjh> current signature properties draft
<fjh>
[38]http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview
.html
[38] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/
Overview.html
TLR: expiration limits the impact in the future
... the timestamp helps you with which sequence signatures happened
... perhaps before some event
... when the package was signed can be critically important <DR:
this is for forensics purposes>
... and incident handling / reaction
<Marcos> +q
<Marcos> -q
<TLR ran over the points again>
<Marcos> +q should <timestamp> be added to XML Dig Sig 1.1 instead
of widgets dig sig?
<Marcos> +q to should <timestamp> be added to XML Dig Sig 1.1
instead of widgets dig sig?
<fjh> good question marcos
<Zakim> Thomas, you wanted to note that SHOULD with wall-clock is
fine if Opera don't enforce upon validation
MP: I support Frederick's suggestion which was to recommend the use
of timestamp and expires as best practices rather than mandating
them
... a recommendation is good enough here
MC: This timestamp element sounds pretty general. Shouldn't this go
in the XML DigSig Spec? Having said that I agree with Mark's
comments
<tlr> I think it's fine for this to go into the signature properties
document, with a "SHOULD use" in the widget signature spec.
FJH: There is some merit in what Marcos just said
... You might want to comment on that Thomas
... let's discuss that
<Marcos> +q
TLR: I don't have any deep thoughts on new timestamps... I'm fine
with having a should
... It becomes unlikely that best practices get implemented
MC: We want to avoid using new elements where possible
... our preference is to profile 1.1
MP: I would support roughly what marcos said. We should reference
the properties
... role, expires and timestamp
<ArtB> ACTION: Frederick check XMl Sig 1.1 re role, expires, etc.
properties [recorded in
[39]http://www.w3.org/2009/02/25-wam-minutes.html#action04]
<trackbot> Created ACTION-305 - Check XMl Sig 1.1 re role, expires,
etc. properties [on Frederick Hirsch - due 2009-03-04].
MP: but I would defer to the XML DigSig group
FJH: I agree with Mark
... TLR if could you write down that use case it would really help
<fjh> +1 to additional hash agl
AB: That closes the discussion then. TLR would you like to discuss
hash algorithms and revocation?
... Let's discuss both. Firstly hash algorithm
<ArtB> [ TLR's comment "I wonder whether we should be keeping an
additional hash algorithm in reserve, too. (That's a question that
needs to go back to the XML Security WG.)" ]
FJH: I agree we need a second hash algorithm
TLR: Not having a second hash algorithm that is outside the SHA
family is an issue
<tlr> I suspect consensus about hash algorithms is easier than on
the PK ones.
FJH: We require some time and thought to get to where we want to be
MP: On algorithms, on the digest algorithm I agree with TLR
... we have to be aware that in 5.2 Digest Algorithms, we support
additional methods
FJH: The validation needs to better match the generation
requirements, I will look at that
<ArtB> [ TLR's comment "I'm worried that we don't say anything about
revocation of signatures. I'd like to revisit why this is the case,
and whether there's anything we can do about it." ]
<fjh> suggest, we should not profile but should mention best
practice of certificate
<fjh> validtion and revocation checking
<Marcos> -q
TLR: <discusses complexities of revocation>
<fjh> identify signature versus certifcate revocation
<tlr> can live with
MP: Some of the stuff is policy dependent so is probably correctly
left out of the specification
FJH: I agree with Mark. I think we decided not to do a complete
profile of the XML DigSig spec within this spec
TLR: I can live with what Mark and Frederick said about revocation
... if we have a unique identifier for each signature, then we can
store metadata about specific signatures
<fjh> so signature identifier could be another signature property?
TLR: there may be several signatures over time from the same signer
<tlr> yes
AB: Mandatory algorithms
FJH: I'd like to mention something first
... I changed requirement 6.1 5c from MUST to MAY
... the ds:KeyInfo element MAY be included
MP: I have one question related to this
... we're relying on certificates - I'll go back and check this
... I think what you've changed is correct, but I just want to check
it
<fjh> If a ds:KeyInfo element is present then it MUST conform to the
[XMLDSIG11] specification. If present then any certificate chain
SHOULD be validated and any CRL or OCSP information may be used as
appropriate [RFC5280]..
FJH: I just wanted to highlight this
<fjh> also
<fjh> The ds:KeyInfo element MAY be included and MAY include
certificate, CRL and/or OCSP information. If so, it MUST be
compliant with the [XMLDSIG11] specification. If certificates are
used they MUST conform to the mandatory certificate format.
AB: OK so let's go to mandatory algorithms
<fjh> sections on generation and validation
AB: First Mark's point
<tlr> +1 to mark on that point
MP: I'd like to thankyou for the restructuring work, it has moved
this on a huge amount, thankyou
... I have some small editorials I will send via email
<fjh>
[40]http://dev.w3.org/2006/waf/widgets-digsig/#signature-valiation
[40] http://dev.w3.org/2006/waf/widgets-digsig/#signature-
valiation
MP: one point here: section 6.2
<fjh> +1 re install statement
<fjh> I mean +1 mark
<tlr> "not install" is probably the wrong category, yes
MP outlined issues on installations on different platforms
<fjh> proposal - If Widget Signature Validation fails for any reason
the application must be informed of the failure and possibly the
reason for failure.
FJH: I agree with these points you are making
MP: I agree with your approach FJH
... In multiple digital signatures with one passing and one failing,
there are different things to do, but that is getting into policy
<Marcos> MC: me too
TLR: A signature verifier could just return a boolean the way it is
currently written
... there is no understanding of what trust anchors there are
... I would like to see it covered
... there must be a policy in place
FJH: I can try and do some wording, I think you're right Thomas
MP: I agree it could be drawn out more, happy to help on this
<tlr> ACTION: thomas to say something about trust anchors in the
beginning of 6.2 [recorded in
[41]http://www.w3.org/2009/02/25-wam-minutes.html#action05]
<trackbot> Created ACTION-306 - Say something about trust anchors in
the beginning of 6.2 [on Thomas Roessler - due 2009-03-04].
<fjh> no
AB: Work split and step 4 and step 5...
MC: I removed anything about handling responses and deferred it to
widgets digsig spec
<ArtB> [ Step #4 is:
[42]http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-signa
tures-for-th ]
[42] http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-
signatures-for-th
MC: where do we put author signature?
<mpriestl> fjh, I don't think we need any
MP: It doesn't really matter
fjh: Policy issue
MP: no need change anything in widget digsig
... Find all signatures in package, then process in accordance with
... widget digsig
AB: step 4 and 5 have been simplified
MP: the last sentence in step 5 says a UA must process...
... it should be possible for the UA to jump out of the list if it
has enough information to make a policy decision
<fjh>
[43]http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-signa
tures-for-th
[43] http://dev.w3.org/2006/waf/widgets/#step-4--locate-digital-
signatures-for-th
MP: I might only be interested in the Nokia signature
<fjh> note need to change section 4 for author signatures
MP: It makes sense to process in order, then skip out
<fjh> [44]http://dev.w3.org/2006/waf/widgets/#digital-signatures
[44] http://dev.w3.org/2006/waf/widgets/#digital-signatures
MP: slight rewording plus a MAY on the author signature
<Marcos> MC: I added "Search at the root of the widget for any file
whose file name field case insensitively matches
author-signature.xml. If found, add this file entry to the
signatures list."
JS: My concern is that there is a revoked signature there
... I'd like people to consider it
... even if they are interested in something else
MP: You can define reasons for revocation if you want and there are
different things you may want to do.
... In some cases you may want to consider the status of more than
one signature. We wouldn't stop you doing that - the UA and the
policy determines when this happens
<timeless> soudns ok
FJH: Are we planning to address policy at some point?
... we need a note in the packaging spec
MP: The processing is dependent on your policy and we don't define
what that is
<fjh> need to add statement that processing depends on policy
DR: This comes back to our discussion on new work items - for
example security policy type issues
AB: So right now we don't have a draft charter for that working
group yet
<tlr> yes
FJH: Which is why we need to outline the concerns now before that
group is there
<Marcos> MC: As an aside, in the PC spec, I added the following text
"Search at the root of the widget for any file whose file name field
case insensitively matches the naming convention for the author's
digital signature (i.e., author-signature.xml). If found, add the
matching file entry to the end of the signatures list."
MC: the processing part in step 4
MP: This is sort of what we need, let's take it offline though
RH: If we have the author at the end of the list, we can't step out
of the processing
MC clarified how you could do this
<fjh> no
AB: Let's cover issue #81
... OK, schedule firast
first
MP: We've addressed most of the comments
... I think we're ready once the updates are complete, we're ready
to go to the next WD. Next stage would be LCWD
... Fundamentals have not changed and I think we're all agreed on
and it would be great to get to last call
FJH: I need to make some changes and include the comments, I'd like
to reference the FCWD from XML DigSig this week
... Other than that, then I don't see why not
... Properties stuff would mean doc would need delaying
TLR: We have some different options - perhaps we could put an
editors note in the widget signatures document saying what will be
included
FJH: This could solve the properties issue
<tlr> it's not pretty, but it's probably easiest
AB: We have agreement on that route
... 4-5 weeks from now we could have a LCWD
TLR: Let's take this offline
<Benoit> I understand 19th march for the last WD --- 16 april for LC
--- 14 may RC
<tlr> +1 to taking this offline
<fjh> +1 to taking this offline
AB: Last thing on the list is mandatory algorithms
TLR: Think about EC and DSA
... no consensus in the security group yet
MP: We would prefer the spec to be finished rather than have drawn
out discussions
... there are unclear IPR issues around ECDSA
... we haven't been able to check on that
... the reasons for rejecting DSASHA-256 are not very strong from
the XML SG
TLR: The FIPS standard is done, it is waiting for the US Secretary
of Commerce to sign it... however there is no Secretary of Commerce
appointed yet
FJH: Need to know who can live with EC or DSA
DR: Suggest raising as an action
... I can circulate for feedback in OMTP
Arve: There is not much real world use of EC
... I would like to understand if and why it is necessary now and
not at some later stage
MC: We want to future proof as much as possible
<ArtB> ACTION: Marcos determine Opera's position on elliptic curve
re Widgets DigSig spec [recorded in
[45]http://www.w3.org/2009/02/25-wam-minutes.html#action06]
<trackbot> Created ACTION-307 - Determine Opera's position on
elliptic curve re Widgets DigSig spec [on Marcos Caceres - due
2009-03-04].
<ArtB> ACTION: David determine Opera's position on elliptic curve re
Widgets DigSig spec [recorded in
[46]http://www.w3.org/2009/02/25-wam-minutes.html#action07]
<trackbot> Sorry, amibiguous username (more than one match) - David
<trackbot> Try using a different identifier, such as family name or
username (eg. dorchard, drogers)
<tlr> ACTION: rogers to determine OMTP's position on EC re Widgets
DigSig spec [recorded in
[47]http://www.w3.org/2009/02/25-wam-minutes.html#action08]
<trackbot> Created ACTION-308 - Determine OMTP's position on EC re
Widgets DigSig spec [on David Rogers - due 2009-03-04].
<ArtB> ACTION: Rogers determine OMTP's position on elliptic curve re
Widgets DigSig spec [recorded in
[48]http://www.w3.org/2009/02/25-wam-minutes.html#action09]
<trackbot> Created ACTION-309 - Determine OMTP's position on
elliptic curve re Widgets DigSig spec [on David Rogers - due
2009-03-04].
<tlr> ACTION-308: duplicate of ACTION-309
<trackbot> ACTION-308 Determine OMTP's position on EC re Widgets
DigSig spec notes added
<tlr> ACTION-308 closed
<trackbot> ACTION-308 Determine OMTP's position on EC re Widgets
DigSig spec closed
FJH: I'd like to understand where we are with this
TLR: We need the feedback on the document that is being published
tomorrow
<fjh> Please review XML Siganature 1.1 working draft, algorithms and
give feedback!
AB: Thanks for joining guys and particularly Frederick for updating
the spec
FJH: Thanks to everyone for their comments
<ArtB> ScribeNick: ArtB
Media type declarations; MIME; etc.
AB: looking at the agenda, Marcos
... Is the <type> element still something we need to discuss or
drop?
MC: drop it
... we want to talk about the <media> element proposal
...
[49]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/04
91.html
... Larry Masinter submitted some comments
... LM:
[50]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/04
59.html
... No, LM's response is:
[51]http://lists.w3.org/Archives/Public/public-pkg-uri-scheme/2009Fe
b/0003.html
[49] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0491.html
[50] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0459.html
[51] http://lists.w3.org/Archives/Public/public-pkg-uri-scheme/
2009Feb/0003.html
[ Marcos displays a strawman proposal of the <manifest> element ...
]
<Marcos> <manifest xmlns="">
<Marcos> <media path="" type=""/>
<Marcos> <media ext="space delimited list" type=""/>
<Marcos> </manifest>
Arve: are path and extension mutually exclusive for a given element?
<Marcos> <media path="styles/" ext="php" type="text/css" />
<Marcos> <media path="styles/mystyle" type="text/css" />
<arve> [ foo.css, bar, baz ]
<Marcos> <media path="styles/" ext="php"
type="text/css;charset=utf8" />
<arve> [bar, baz] = text/html, foo.css = text/css
<Marcos> <media path="styles/" type="text/css" /> <media
path="styles/foo.css" type="text/css" />
<Marcos> <media path="foo/" ext="php" type="text/css" /> <media
path="foo/bar/" type="" />
<Marcos> where type="" = unknown, so sniff
AB: any comments about this proposal?
Arve: looks pretty solid
<Marcos> <media path="styles/" type="text/css" /> <media
path="styles/" type="text/html" />, where the second overrides the
first
AB: so the precedence is what?
MC: last one is the winner
<arve> /home/user/foo/
<arve> foo
<Marcos> how would this work with xml:base
<Marcos> ?
AB: does this proposal address the issues LM raised?
MC: some of them
... it encorporates some of his concerns
<arve> I quite like type="application/uberml+xml;charset=UTF-7"
MC: he agreed we don't need to include every file in the ZIP
... for example, we could just target one folder
... who wins in the conflict of manifest versus config file
... I like config file wins
... this proposal does not conflict with HTML5's cache manifest
... that is completely different use case
AB: good
... what is the processing model?
MC: I will define it in a separate new spec - it will not be in the
P&C spec
AB: when will it be used
MC: one use case is when a user wants to save a widget and the WUA
can slurp up all of the files for a widget
AB: is Opera convinced we need this for v1.0?
MC: no, not necessarily. 2.0 could be OK
... It has been requested by several people including TLR, LM and
Adam Barth
Arve: I'm not convinced we need it
... sure Save As Widgets is neat but not sure we need a spec to
cover the use case
AB: what's the relationship between this proposal and the issue Adam
Barth raised?
... i.e.
[52]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/02
64.html
[52] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0264.html
MC: Adam proposed something like this so indeed my proposal
addresses his concerns
AB: has Adam responded to this proposal?
MC: no, not yet
AB: do you anticipate proponents of this functionality pushing for
this element to be added to P&C spec?
MC: not sure
AB: so here is where I think we are with this:
... A number of people have suggested we need to address this issue
e.g. file extension to MIME type mapping
... we are in general agreement
... But we don't think it needs to be specified in the P&C spec
... We are willing to define this functionality in a separate spec
... And probably not in the Widget spec series
DR: think the P&C spec needs to specify a UI format e.g. HTML
MC: the P&C spec is agnostic - it just specifies the config file and
the package format
Arve: the reality is most of the implemenations will be compatible
with each other and implement a superset of P&C + DigSig + A&E + ...
MC: P&C does not define a "Widget User Agent" just a UA that can
process the config file and ZIP format
DR: we want any widget that will run anywhere
... think we're going to get that widgets that can't be run e.g.
only contains a DLL
... we want the W3C to define Widget User Agent
Arve: the W3C hasn't defined what a Web page is
MC: to be accurate, we should replace the <widget> element with
<package> element
AB: we should go back to the FPWD as that title is probably more
accurate than the current one
Arve: my expectation is that a WUA will be able to handle HTML
... but I don't think that should be mandatory
MC: the original title was "Web Applications Packaging Format"!
CV: I don't think we can replace Widgets at this point
MC: In hindsight I think we should not have switched to the name
Widget
... I can put the old WUA dependency information into an Informative
appendix if people think that would be useful
AB: we aren't seriously considering changing the title of the P&C
spec, right?
MC: no
Arve: no
DR: still then, where is Widget User Agent defined
AB: I'm mostly indifferent but it does not belong in the P&C spec
DR: so how do we solve this problem?
<drogersuk> we are at serious risk of market fragmentation
MC: one approach as I mentioned is to add an informative note to the
P&C spec
AB: why doesn't OMTP define WUA as it sees fit?
DR: that leads to fragmenation
MC: we can recommend specific MIME types but we can't mandate them
... for example the widget i.e. package could contain Flash
... are you willing to write text that covers your concern?
<drogersuk> ACTION:rogers OMTP to take Marcos' original text and
modify to add the concerns over MIME types [recorded in
[53]http://www.w3.org/2009/02/25-wam-minutes.html#action10]
MC: note HTML5 doesn't define any dependencies
... although they are implied
# <feature> default; raised by Kai Hendry
AB: what's the status of this?
MC: I've already addressed this
... feature is required at runtime unless explicitly set to optional
<scribe> ACTION: Marcos make sure the <feature> comment by Kai has
been addressed [recorded in
[54]http://www.w3.org/2009/02/25-wam-minutes.html#action11]
<trackbot> Created ACTION-310 - Make sure the <feature> comment by
Kai has been addressed [on Marcos Caceres - due 2009-03-04].
<scribe> ACTION: Rogers OMTP to take Marcos' original text and
modify to add the concerns over MIME types [recorded in
[55]http://www.w3.org/2009/02/25-wam-minutes.html#action12]
<trackbot> Created ACTION-311 - OMTP to take Marcos' original text
and modify to add the concerns over MIME types [on David Rogers -
due 2009-03-04].
<icon> element ISSUE: what if it's a vector and no size is given?
AB: Marcos, what's the status of this?
... [56]http://dev.w3.org/2006/waf/widgets/#the-icon-element
[56] http://dev.w3.org/2006/waf/widgets/#the-icon-element
MC: Doug gave me some proposed text and I've added it to the ED
Arve: is this really needed in the spec?
... Seems like its specifying visual behavior of the UA
MC: during the 2nd LC we must do a better job of removing anything
that is extaneous to the config file and package format
AB: from the P&C perspective, I don't think this needs to be
specified
<preference> element proposal; by Art Barstow
AB: what's the status Marcos?
MC: I've already specified this
... see the latest ED
Arve: I don't agree with MUST in this case
... I can think of some cases were MUST is too strong
[ MC makes a change in the ED to address Arve's comment ]
Arve: how will read-only be handled by the UA implementing the
preferences array as defined in the A&E spec?
MC: that array should be read-only
Arve: I'm not sure about that
Ivan: what are the use cases?
<Marcos> for var in preferences {}
Arve: a widget like a RSS reader could have a list of URIs
<arve> for (var key in widget.preferences){ /* ... */ }
Ivan: seems like we don't need two mechanisms here
... How do you get the keys?
MC: we will probably need a keys attribute
... we don't want to build a dependency on HTML5
... we probably also need methods to clear the array
Arve: what if prefs returned generic objects rather than a
DOMString?
... not sure we want to go that way
Ivan: I made a proposal on the mail list
...
[57]http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/04
55.html
[57] http://lists.w3.org/Archives/Public/public-webapps/
2009JanMar/0455.html
[ Discussion of Ivan's proposal in the above e-mail ]
[ Marcos adds some related text to Req #28 e.g. some methods needed
to support richer Preferences ... ]
AB: Meeting Adjourned
Summary of Action Items
[NEW] ACTION: David determine Opera's position on elliptic curve re
Widgets DigSig spec [recorded in
[58]http://www.w3.org/2009/02/25-wam-minutes.html#action07]
[NEW] ACTION: Frederick check XMl Sig 1.1 re role, expires, etc.
properties [recorded in
[59]http://www.w3.org/2009/02/25-wam-minutes.html#action04]
[NEW] ACTION: Marcos determine Opera's position on elliptic curve re
Widgets DigSig spec [recorded in
[60]http://www.w3.org/2009/02/25-wam-minutes.html#action06]
[NEW] ACTION: Marcos make sure the <feature> comment by Kai has been
addressed [recorded in
[61]http://www.w3.org/2009/02/25-wam-minutes.html#action11]
[NEW] ACTION: Marcos report back to the WG ASAP regarding your
ability to be the Editor of the two new specs proposed and discussed
on Feb 24 [recorded in
[62]http://www.w3.org/2009/02/25-wam-minutes.html#action02]
[NEW] ACTION: Marcos respond to Marcin and ask him to make specific
proposals if he has any [recorded in
[63]http://www.w3.org/2009/02/25-wam-minutes.html#action01]
[NEW] ACTION: Marcos will make a hybrid proposal and send it the
mail list [recorded in
[64]http://www.w3.org/2009/02/25-wam-minutes.html#action03]
[NEW] ACTION: Rogers determine OMTP's position on elliptic curve re
Widgets DigSig spec [recorded in
[65]http://www.w3.org/2009/02/25-wam-minutes.html#action09]
[NEW] ACTION: rogers OMTP to take Marcos' original text and modify
to add the concerns over MIME types [recorded in
[66]http://www.w3.org/2009/02/25-wam-minutes.html#action10]
[NEW] ACTION: Rogers OMTP to take Marcos' original text and modify
to add the concerns over MIME types [recorded in
[67]http://www.w3.org/2009/02/25-wam-minutes.html#action12]
[NEW] ACTION: rogers to determine OMTP's position on EC re Widgets
DigSig spec [recorded in
[68]http://www.w3.org/2009/02/25-wam-minutes.html#action08]
[NEW] ACTION: thomas to say something about trust anchors in the
beginning of 6.2 [recorded in
[69]http://www.w3.org/2009/02/25-wam-minutes.html#action05]
[End of minutes]
Received on Thursday, 26 February 2009 16:23:04 UTC