Re: [widgets] Editorial Comments on 18-Aug-2009 LCWD of A&E spec from Marcos Caceres on 2009-09-21 (public-webapps@w3.org from July to September 2009)

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 21 Sep 2009 20:08:27 +0200
To: Arthur Barstow <Art.Barstow@nokia.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <b21a10670909211108x7d2072a2of15a76d5892317ca@mail.gmail.com>

2009/9/15 Marcos Caceres <marcosc@opera.com>:
>
>
> Arthur Barstow wrote:
>>
>> On Sep 14, 2009, at 11:00 AM, ext Marcos Caceres wrote:
>>
>>> On Mon, Sep 14, 2009 at 1:33 PM, Arthur Barstow
>>> <Art.Barstow@nokia.com> wrote:
>>>>
>>>> On Sep 13, 2009, at 1:06 PM, ext Marcos Caceres wrote:
>>>>>
>>>>> It is optional for a user agent to support the widgets
>>>>> [Widgets-DigSig] specification.
>>>>> ]]
>>>>
>>>> Why did you add the DigSig text above and new DigSig paragraph below the
>>>> Note (Section 4)? This spec should focus exclusively on the A&E UA.
>>>
>>> The reason is that currently, the following text does not have a home:
>>>
>>> [[A user agent must prevent a browsing context of a widget from
>>> accessing (e.g., via scripts, CSS, HTML, etc.) the contents of a
>>> digital signature document unless an access control mechanism
>>> explicitly enables such access, e.g. via an access control policy. The
>>> definition of such a policy mechanism is beyond the scope this
>>> specification, but can be defined by implementers to allow access to
>>> all or parts of the signature documents, or deny any such access. An
>>> exception is if a user agent that implements this specification also
>>> implements the optional [Widgets-DigSig] specification, in which case
>>> the user agent must make digital signature documents available only to
>>> the implementation of the [Widgets-DigSig] specification; a user agent
>>> must not make the digital signatures accessible to scripting or other
>>> content loading mechanisms, unless explicitly enabled by an access
>>> control mechanism.]]
>>>
>>> This spec seems like a good home for the text above (hence the
>>> optionality of widgets dig sig).
>>
>> I kinda' understand the general concern, but I don't think the lack of a
>> "home" for this spec is sufficient rationale to make the quoted text
>> above normative in this spec.
>
> Agreed.
>
>> We should try to keep these specs as independent as possible.
>
> Agreed.
>
>> It also isn't clear how one would test the "unless" clause of the first
>> statement for a black-box implementation of the A&E spec.
>
> We need to plug this hole somewhere/somehow. I'll take this out of the spec, but this text needs to be captured as a formal issue with widgets that _must_ be addresses before we wrap up this work.
>

Ok, I've deleted the assertion.



-- 
Marcos Caceres
http://datadriven.com.au

Received on Monday, 21 September 2009 18:09:13 UTC