- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Fri, 27 Mar 2009 13:55:02 -0400
- To: "ext Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, "marcosc@opera.com" <marcosc@opera.com>, WebApps WG <public-webapps@w3.org>
comments inline, thanks for reviewing this regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 1:26 PM, ext Hillebrand, Rainer wrote: > Dear Marcos, > > I hope to have less critical comments than in my last feedback email. > > 1. Section 7.1: change "The ds:SignatureMethod algorithm used in the > ds:SignatureValue element MUST one of the signature algorithms." to > "The ds:SignatureMethod algorithm used in the ds:SignatureValue > element MUST be one of the signature algorithms." ok > > > 2. Section 7.1: "The ds:KeyInfo element MAY be included and MAY > include certificate, CRL and/or OCSP information.": CRL and OCSP are > not defined before. Do you have a reference for these abbreviations? will add RFC references. (but should be common to those familar with certs ) > > > 3. Section 7.3: "The set of acceptable trust anchors, and policy > decisions based on the signer's identity are established through a > security-critical out-of-band mechanism." I do not really understand > this sentence. This is not subject for the processing rules, isn't > it? What is an acceptable trust anchor? Are they really established > or may they be established? knowing whom you can trust and how to establish that trust is out of scope. > > > 4. Section 8: change "Care should be taken to avoid resource > exhaustion attacks through maliciously crafted Widget archives > during signature verification." to "Care should be taken to avoid > resource exhaustion attacks through maliciously crafted [widget > package]s during signature validation." ok > > > 5. Section 8: change "Implementations should be careful about > trusting path components found in the zip archive" to > "Implementations should be careful about trusting path components > found in the [widget package]" ok > > > 6. Section 8: change "and naive unpacking of widget archives into" > to "and naive unpacking of [widget package]s into" > ok > 7. Section 8: change "e.g., overwriting of startup or system files" > to "e.g. overwriting of startup or system files" > No, I believe the correct usage is to have the comma. e.g. means "exempli gratia" , meaning "for example". Thus for example, some text I think we should change to "for example" in this case. > 8. Section 8: change "There is no single signature file that > includes all contents of a widget, including all of the signatures." > to "There is no single signature file that includes all files of a > [widget package], including all of the signature files." ok, since everything is a file > > > 9. Section 8: change "This leaves a widget package subject to an > attack where distributor signatures can be removed (and an author > signature if any corresponding distributor signature is also > removed), or added." to "This leaves a widget package subject to an > attack where distributor signatures can be removed or added. An > author signature could also be attacked by removing it and any > distributor signatures if they are present." better, thanks > > > Best Regards, > > Rainer > > ************************************* > T-Mobile International > Terminal Technology > Rainer Hillebrand > Head of Terminal Security > Landgrabenweg 151, D-53227 Bonn > Germany > > +49 171 5211056 (My T-Mobile) > +49 228 936 13916 (Tel.) > +49 228 936 18406 (Fax) > E-Mail: rainer.hillebrand@t-mobile.net > > http://www.t-mobile.net > > This e-mail and any attachment are confidential and may be > privileged. If you are not the intended recipient, notify the sender > immediately, destroy all copies from your system and do not disclose > or use the information for any purpose. > > Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte > bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte > Adressat sind, informieren Sie bitte den Absender unverzüglich, > löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie > oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. > > > T-Mobile International AG > Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ > Chairman) > Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ > Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender > Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 > Steuer-Nr./Tax No.: 205 / 5777/ 0518 > USt.-ID./VAT Reg.No.: DE189669124 > Sitz der Gesellschaft/ Corporate Headquarters: Bonn >
Received on Friday, 27 March 2009 17:56:17 UTC