Marcos
Regarding the requirement for validity checking zip relative paths in
widget signature [1] references, does the following change make sense
to you?:
Change last paragraph in section 5.1, Use of XML Signature in Widgets
to (only last sentence is changed, to two new sentences):
Every ds:Reference used within a widget signature MUST have a URI
attribute. Every ds:Reference to an item within the widget signature
MUST use an IDREF value for the ds:Reference URI attribute, referring
to a unique ID within the widget signature [XML-Schema-Datatypes].
Every ds:Reference to a widget file MUST use a URI expressing the zip
relative path to the widget file, properly URL encoded [URI]. The zip
relative path MUST conform to the requirements expressed in [Widgets
Packaging].
Please let me know any comment or suggestion. Thanks for noting this
concern.
regards, Frederick
Frederick Hirsch
Nokia
[1] http://dev.w3.org/2006/waf/widgets-digsig/
On Mar 17, 2009, at 8:15 AM, ext Marcos Caceres wrote:
>
> Hi Frederick,
>
> On 3/17/09 1:01 PM, Frederick Hirsch wrote:
>> The latest draft includes the revised text from Thomas.
>>
>> Marcos, are you suggesting we add something more? It sounds like what
>> you are saying here, is that it should be a valid widget file. Isn't
>> that part of P&C checking? I'm not sure what it means to check that
>> the
>> paths are "as secure as possible."
>
> You might want to check the following section of the P&C [1] and see
> if
> it is usable in dig sigs. Given that the paths in the <reference>
> elements MUST be zip-relative-paths, the rules for checking the
> validity
> of those paths may apply to the Widgets Dig Sig spec.
>
>
> [1] http://dev.w3.org/2006/waf/widgets/#zip-relative-paths
>