RE: [BONDI Architecture & Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Paddy,

I agree with your summary, but I have comments to the sequence of conclusions.

>>But, as Thomas says, the P&C spec should confine itself to defining how a Widget Resource encodes the signature(s), and say something about what is being asserted, and by who. The author is simply some entity >>that has signed the Widget Resource, who is content to be identified as the creator or the originator of the content.
Agreed. It is just about binding the entities.

>>In BONDI we do have roles for the author and distributor signatures, and an implementation may perform specific actions based on the signatures that are provided.
Agreed. The problem I have is that the term author is not defined in DigSig ( and P&C defines just the <author> element). It would be ok to say in the DigSig spec that it is intentional. Author is just some distinguished entity. There may be readers of the W3C specs who do not know about BONDI.
Maybe even association of the term "author" in DigSig with the <author> element in P&C is wrong?
Maybe these are 2 different entities?

In general my comments are about spec quality. BONDI builds upon W3C Widgets, and not vice-versa.
So if there are terms in W3C Widgets that are intentionally left underspecified, let's state that clearly in the spec.

Thanks.

Kind regards,
Marcin
________________________________________
From: paddy.byers@gmail.com [paddy.byers@gmail.com] On Behalf Of Paddy Byers [paddy@aplix.co.jp]
Sent: Friday, March 27, 2009 12:13 AM
To: Marcin Hanclik
Cc: Thomas Roessler; Hillebrand, Rainer; marcosc@opera.com; public-webapps@w3.org; otsi-arch-sec@omtplists.org
Subject: Re: [BONDI Architecture & Security] [widgets] Author, was: RE: AW:     Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi,

I have been trying to identify the term author in Widget specs.

I think we're in danger of getting into details that are irrelevant for the P&C specification.

This spec should define what information is asserted by the presence of the author and distributor signatures.

It is up to a consuming device, possibly defined by some other specification, to determine what actions are taken based on that asserted information.

In BONDI we do have roles for the author and distributor signatures, and an implementation may perform specific actions based on the signatures that are provided.

But, as Thomas says, the P&C spec should confine itself to defining how a Widget Resource encodes the signature(s), and say something about what is being asserted, and by who. The author is simply some entity that has signed the Widget Resource, who is content to be identified as the creator or the originator of the content.

Thanks - Paddy


________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.

Received on Thursday, 26 March 2009 23:45:47 UTC