[widget-digsig] Updated Editors Draft of Widget Signature from Frederick Hirsch on 2009-03-27 (public-webapps@w3.org from January to March 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 27 Mar 2009 15:02:55 -0400
To: WebApps WG <public-webapps@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Marcos Caceres <marcosscaceres@gmail.com>, Arthur Barstow <art.barstow@nokia.com>
Message-Id: <5CFB642A-5326-46E3-8F54-42C45040FBC8@nokia.com>

I have completed a major round of editorial updates to the Widget  
Signature editors draft.

http://dev.w3.org/2006/waf/widgets-digsig/

This is intended to be our public working draft for Monday, so please  
review the changes. Thanks to all who commented. This does not include  
changes for issues that might require more discussion.

The document date and type (working draft vs editors draft) should be  
changed upon final publication.

Changes to note (and please review)

1. Added new section, "Conventions".

Note that I attempted to give examples of the formats rather than  
describe the formatting, since the formatting is based on a style  
sheet that might change.

2. Added reference for OCSP ( RFC 2560 ) and removed reference for  
X509 v3, referring to RFC 5280 instead. Reference RFC 5280 at first  
reference of CRL

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0980.html

3. Generally changed "widget archive" to "widget package"

4. Completed changes agreed in
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0969.html

see [1] below

5. Completed changes agreed in
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0970.html

see [2] below

6.  Completed changes agreed in
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0972.html

see [3] below

7.  Completed changes agreed in
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0973.html

see [4] below

8. Replaced two lower case "must" with "MUST"

9. Removed trust anchor text in 7.3:
"The set of acceptable trust anchors, and policy  decisions based on  
the signer's identity are established through a security-critical out- 
of-band mechanism."
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0982.html
   regards, Frederick

Frederick Hirsch
Nokia

[1] added
<p>Numerical order is the order based on the numeric portion of the
signature file name. Thus the highest numbered distributor signature
   would be validated first.</p>
to section 4, #6
---

replace
<p>The ordering by
<span>file name</span> can be used to allow consistent
processing and possible
optimization.

in section 4 #6 with

"Ordering of widget signature files by the numeric portion of the file
name can be used to allow consistent processing and possible
optimization."

===
[2]

1. Section 1: "... with XML signatures that each cryptographically
 > include all of the non-signature ..."
 >
 > should become (missing "s")
 >
 > "... with XML signatures that each cryptographically includes all of
 > the non-signature ..."
 >

2. Unify "case sensitive" phrase. There are now both "case-
 > sensitive" and "case sensitive" present in the text.
 >
ok, lets go with "case-sensitive" since Websters has that.

a) Replace "root of the archive" with "root of the widget"
 >

"root of the widget package", as you corrected in later email
ok

  6. Section 4, item 5: ".. treat this as.." -> what is "this"? I
 > suggest to change the text to "... treat this widget package as ..."

7. Section 4, item 6: "Validate the signature files in the
 > signatures list" -> "signatures" looks weird, the cause is <var> vs.
 > <code> in HTML.

8. Section 5.3.1: "A file entry whose file name that does not match
 > the" -> "that" should be removed

10. Section 7.2: The time SHOULD reflect the time that signature
 > generation completes. -> The time SHOULD reflect the time when
 > signature generation completed.

11. Section 7.3: If present then user agents MUST perform Basic ->
 > If present, the user agents MUST perform Basic
user agent..

12. Section 9.2.1: The time SHOULD reflect the time that signature
 > generation completes. -> The time SHOULD reflect the time when
 > signature generation completed.
 >

====
[3]

<p>These signatures <em class="ct">MUST</em> be sorted numerically
           based on the numeric
       portion of the name. </p>

to

Within a widget package these signature files MUST be ordered based
 > on the numeric portion of the signature file name."
====
[4]

"The RECOMMENDED version of the certificate format is X.509 version 3  
[X509v3]. Implementations MUST be prepared to accept X.509 v3  
certificates [X509v3], [RFC5280]. "
could become
"The RECOMMENDED version of the certificate format is X.509 version 3
as specified in [RFC5280]. Implementations MUST be prepared to accept
X.509 v3 certificates [RFC5280]."

removed X509 v3 reference.

====

Received on Friday, 27 March 2009 19:03:52 UTC