RE: [widget-digsig] changed widget signature files processing rule in section 4 from Priestley, Mark, VF-Group on 2009-03-19 (public-webapps@w3.org from January to March 2009)

From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
Date: Thu, 19 Mar 2009 14:40:19 +0100
To: "Frederick Hirsch" <Frederick.Hirsch@nokia.com>, "WebApps WG" <public-webapps@w3.org>
Message-ID: <0BE18111593D8A419BE79891F6C4690902B1CC24@EITO-MBX01.internal.vodafone.com>

Hi Frederick,
 
Small comment. I would change the sentence:
 
"Process the digital signatures in the signatures list in descending
order, with distributor signature
<http://dev.w3.org/2006/waf/widgets-digsig/#distributor-signature> s
first."
 
to
 
"Process the digital signatures in the signatures list in list order
starting with the first file-entry." or something similar
 
(They should already be in descending order, with distributor signatures
first, as list has been sorted in previous steps.)
 
Thanks,
 
Mark 
 
 


________________________________

	From: public-webapps-request@w3.org
[mailto:public-webapps-request@w3.org] On Behalf Of Frederick Hirsch
	Sent: 18 March 2009 21:07
	To: WebApps WG
	Cc: Frederick Hirsch
	Subject: [widget-digsig] changed widget signature files
processing rule in section 4
	
	
	I have updated the latest Widget Signature editors draft section
4 (locating and processing digital signatures) to no longer require the
first signature to be processed.  

	http://dev.w3.org/2006/waf/widgets-digsig/#locating-signatures

	The language is now (numbering ok in draft):

	

	1.	Process the digital signatures in the signatures list in
descending order, with distributor signature
<http://dev.w3.org/2006/waf/widgets-digsig/#distributor-signature> s
first.

		The decision of which (if any) distributor signature
<http://dev.w3.org/2006/waf/widgets-digsig/#distributor-signature> s are
to be validated and whether the author signature
<http://dev.w3.org/2006/waf/widgets-digsig/#author-signature>  is
validated is out of scope of this specification. This may be determined
by the Security Policy used by the user agent.

		The ordering by widget file name
<http://dev.w3.org/2006/waf/widgets-digsig/#widget-file-name>  can be
used to allow consistent processing and possible optimization.

	2.	Every signature that is validated MUST be validated
according to Signature Validation
<http://dev.w3.org/2006/waf/widgets-digsig/#signature-validation>
defined in this specification.

	Please indicate any comment or correction.

	The latest draft also changes all usage of "widget user agent"
to "user agent".

	regards, Frederick

	Frederick Hirsch
	Nokia


	On Mar 16, 2009, at 4:46 PM, ext Priestley, Mark, VF-Group
wrote:


		[mp] My view is that whether zero, one or more
signatures is processed
		is up to the widget user agents security policy
therefore we don't need
		to say anything about which signatures (if any) must be
processed. The
		purpose of sorting the distributor signatures into
ascending order is to
		allow some optimisation of signature processing under
certain
		conditions. Maybe good to further clarify - I can try
and come up with
		something if you'd like (and of course if you agree)?

Received on Thursday, 19 March 2009 13:41:39 UTC