- From: Marcos Caceres <marcosc@opera.com>
- Date: Fri, 12 Feb 2010 15:07:48 +0100
- To: Scott Wilson <scott.bradley.wilson@gmail.com>
- CC: Jonas Sicking <jonas@sicking.cc>, Webapps WG <public-webapps@w3.org>, Henri Sivonen <hsivonen@iki.fi>, Frederick Hirsch <Frederick.Hirsch@nokia.com>
(Dragging Henri Sivonen in, as he originally raised some of the issues below and I'm sure he would like to be involved. Also dragging Frederick Hirsch in, as he co-edited Widgets Dig Sig spec and co-editor of the XML Signature Syntax and Processing Second Edition) Scott Wilson wrote: > > On 11 Feb 2010, at 01:10, Jonas Sicking wrote: > >>> I don't disagree with you on the implementation side (and Im happy to >>> hear >>> that you think it can be implemented - I'll keep my fingers crossed). >>> On the >>> author side, I honestly don't know how much of a difference it will >>> make. >>> I'm sure someone will create a dead easy click once packager for >>> widgets, if >>> they haven't done so already. But is there something inherently wrong >>> with >>> our current technological choice that would not allow that? (if yes, >>> please >>> send to public-webapps, which is where we discuss widgets ;)) >> >> Ah, the old "the tools will save us" argument ;) >> >> Yes, tools can certainly help. But that doesn't remove from the fact >> that something that's simpler to author would be simpler for authors. >> What about situations when you want to dynamically generate widgets, >> say using PHP? Or if you don't speak the language(s) the tool is >> localized to. Or if a web-based tool happens to be down because of >> server upgrades? >> >> / Jonas >> > > I've run two "build a W3C widget" events now for Wookie, one for > students (mostly education/social sci students, not computer > scientists!) and one for developers. No complaints about them being too > complicated to make; pretty much everyone had learned the tech and made > one in 90 minutes. Did they digitally sign the widget too? > So where's the issue? There is no "issue", we are just doing a comparison for argument's sake at this point. What we are discussing is if Mozilla's solution for signing Zip files (JAR-based) [1] is easier for vendors to implement/maintain and authors to deal with when compared to the W3C Widget solution of using XML Dig Sig. If it's easy to build a widget is a different matter (and I very much doubt that anyone would argue that making a widget is hard - It's so easy, in fact, that Opera once put the instructions for building a "Hello World!" widget on a business card! - so yeah, it's easy:)). Thus far, in terms of ease of use for authors, little in the way of concrete evidence has been presented of one signing method being easier than the other (specially by looking at the complexity of using Mozilla's command line-based tool [1] compared to BONDI's SDK [2]). This is not to say that Mozilla (or anyone, given its open source nature) could not make a super easy tool for signing zip files. However, the proof is in the pudding here: By virtue that Bondi's SDK includes a tool that allows widgets to be signed with a few clicks is evidence that the W3C's Widgets Signature specification is capable of being used to produce easy to use products. And by virtue that Kai Hendry has created scripts that could allow widgets to be signed/verified over the Web is evidence that tools can that address Jonas' case of widgets being dynamically generated on the server side and signed dynamically. I know the tools won't save us, but the fact that tools now exists that do what the WG predicted it would ("click, click, done!" and allow widgets to be dynamically signed on the server-side) serves as strong evidence that the choice of using XML Dig Sig was the right one for the authoring use cases and design goals [3]: we wanted ease of use and we got it! now we want interop, and we are hopeful we will get it. That leads to the next point... In terms of implementation, Mozilla has previously raised concerns about XML canonicalization (which I don't fully understand, hence the growing email cc list) - but by the virtue that people have implemented the Widget signing spec, I await to see if Mozilla's concerns will materialize in practice and actually hinder interoperability - I'm not saying this is FUD, but we need proof. It's too early to make the call that widget signing is flawed. And it's important to note that no one that has implemented has come back to the WG raising any concerns or screaming bloody murder. However, as no test suite exists yet, we are hopeful that those that have experience and understand the canonicalization issues with XML (*cough, cough, Henri Sivonen, cough*:)) will help us build test that expose the interoperability issues so that that we can address them for real. Without the test that actually expose the limitations of XML canonicalization and XML Dig Sig, we can talk about this till the cows come home. So, can anyone help with a few tests? Kind regards, Marcos [1] https://developer.mozilla.org/en/Signing_a_XPI [2] http://bondisdk.limofoundation.org/ [3] http://dev.w3.org/2006/waf/widgets-reqs/ [4] http://git.webvm.net/?p=wgtqa;a=tree;f=xmldsig
Received on Friday, 12 February 2010 14:08:38 UTC