Re: [widgets] Editorial Comments on 18-Aug-2009 LCWD of A&E spec from Marcos Caceres on 2009-09-15 (public-webapps@w3.org from July to September 2009)

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 15 Sep 2009 17:20:18 +0200
To: Arthur Barstow <Art.Barstow@nokia.com>
CC: public-webapps <public-webapps@w3.org>
Message-ID: <4AAFB0B2.4010201@opera.com>

Arthur Barstow wrote:
> On Sep 14, 2009, at 11:00 AM, ext Marcos Caceres wrote:
>
>> On Mon, Sep 14, 2009 at 1:33 PM, Arthur Barstow
>> <Art.Barstow@nokia.com> wrote:
>>> On Sep 13, 2009, at 1:06 PM, ext Marcos Caceres wrote:
>>>> It is optional for a user agent to support the widgets
>>>> [Widgets-DigSig] specification.
>>>> ]]
>>>
>>> Why did you add the DigSig text above and new DigSig paragraph below the
>>> Note (Section 4)? This spec should focus exclusively on the A&E UA.
>>
>> The reason is that currently, the following text does not have a home:
>>
>> [[A user agent must prevent a browsing context of a widget from
>> accessing (e.g., via scripts, CSS, HTML, etc.) the contents of a
>> digital signature document unless an access control mechanism
>> explicitly enables such access, e.g. via an access control policy. The
>> definition of such a policy mechanism is beyond the scope this
>> specification, but can be defined by implementers to allow access to
>> all or parts of the signature documents, or deny any such access. An
>> exception is if a user agent that implements this specification also
>> implements the optional [Widgets-DigSig] specification, in which case
>> the user agent must make digital signature documents available only to
>> the implementation of the [Widgets-DigSig] specification; a user agent
>> must not make the digital signatures accessible to scripting or other
>> content loading mechanisms, unless explicitly enabled by an access
>> control mechanism.]]
>>
>> This spec seems like a good home for the text above (hence the
>> optionality of widgets dig sig).
>
> I kinda' understand the general concern, but I don't think the lack of a
> "home" for this spec is sufficient rationale to make the quoted text
> above normative in this spec.

Agreed.

> We should try to keep these specs as independent as possible.

Agreed.

> It also isn't clear how one would test the "unless" clause of the first
> statement for a black-box implementation of the A&E spec.

We need to plug this hole somewhere/somehow. I'll take this out of the 
spec, but this text needs to be captured as a formal issue with widgets 
that _must_ be addresses before we wrap up this work.

Received on Tuesday, 15 September 2009 15:21:08 UTC