W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widget-digsig] zip relative path update

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 18 Mar 2009 21:51:50 +0100
Cc: ext Marcos Caceres <marcosc@opera.com>, Frederick Hirsch <Frederick.Hirsch@nokia.com>, "ext Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, WebApps WG <public-webapps@w3.org>
Message-Id: <685D8A03-0D20-4342-8D0C-677345F598CB@w3.org>
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>
I wonder what the interaction between this and a manifest approach for  
URI dereferencing would be. I could argue the case both ways, but  
would be interested in your thoughts.

Thomas Roessler, W3C  <tlr@w3.org>

On Mar 18, 2009, at 20:53, Frederick Hirsch  
<Frederick.Hirsch@nokia.com> wrote:

> Marcos
> Regarding the requirement for validity checking zip relative paths  
> in widget signature [1]  references, does the following change make  
> sense to you?:
> Change last paragraph in section 5.1, Use of XML Signature in  
> Widgets to (only last sentence is changed, to two new sentences):
> Every ds:Reference used within a widget signature MUST have a URI  
> attribute. Every ds:Reference to an item within the widget signature  
> MUST use an IDREF value for the ds:Reference URI attribute,  
> referring to a unique ID within the widget signature [XML-Schema- 
> Datatypes]. Every ds:Reference to a widget file MUST use a  URI  
> expressing the zip relative path to the widget file, properly URL  
> encoded [URI]. The zip relative path MUST conform to the  
> requirements expressed in [Widgets Packaging].
> Please let me know any comment or suggestion. Thanks for noting this  
> concern.
> regards, Frederick
> Frederick Hirsch
> Nokia
> [1] http://dev.w3.org/2006/waf/widgets-digsig/
> On Mar 17, 2009, at 8:15 AM, ext Marcos Caceres wrote:
>> Hi Frederick,
>> On 3/17/09 1:01 PM, Frederick Hirsch wrote:
>>> The latest draft includes the revised text from Thomas.
>>> Marcos, are you suggesting we add something more? It sounds like  
>>> what
>>> you are saying here, is that it should be a valid widget file. Isn't
>>> that part of P&C checking? I'm not sure what it means to check  
>>> that the
>>> paths are "as secure as possible."
>> You might want to check the following section of the P&C [1] and  
>> see if
>> it is usable in dig sigs. Given that the paths in the <reference>
>> elements MUST be zip-relative-paths, the rules for checking the  
>> validity
>> of those paths may apply to the Widgets Dig Sig spec.
>> [1] http://dev.w3.org/2006/waf/widgets/#zip-relative-paths

Received on Wednesday, 18 March 2009 20:52:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:51 UTC