Fwd: Review of update to Widget Signature from Frederick Hirsch on 2010-05-03 (public-xmlsec@w3.org from May 2010)

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Mon, 3 May 2010 10:30:15 -0400
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Message-Id: <E467D8A1-1694-467C-81C8-3B4E797960A1@nokia.com>

fyi

regards, Frederick

Frederick Hirsch
Nokia



Begin forwarded message:

> From: "Hirsch Frederick (Nokia-CIC/Boston)" <Frederick.Hirsch@nokia.com 
> >
> Date: April 30, 2010 8:37:46 AM EDT
> To: public-webapps WG <public-webapps@w3.org>
> Cc: "Hirsch Frederick (Nokia-CIC/Boston)" <Frederick.Hirsch@nokia.com>
> Subject: Review of update to Widget Signature
>
> Marcos
>
> Thanks for taking the time to propose a revision to Widget Signature
> based on your experience working on the test cases.  This looks like a
> very good  improvement in readability and clarity of conformance
> requirements.
>
> From a technical point of view it looks to be fundamentally the same
> to me, with a couple of changes noted here, though I may have missed
> something in the large number of changes. Here are a few  questions:
>
> 1. You removed requirement that signature be at root of widget
> package? This seems an important requirement  here for knowing which
> signatures are valid  (even if in packaging and config)
>
> 2. The following signature validation rule in section 6 seems
> incorrect since it does not account for author signatures:
>
> "A validator MUST ignore any file entry whose file name does not
> conform to the naming convention for a distributor signature."
>
> Change to:
>
> "A validator MUST ignore any file entry whose file name does not
> conform to the naming convention for an author or distributor
> signature."
>
> 3. The abstract was revised to generalize beyond widgets, which I
> don't understand given that the entire specification is widget
> specific. What did you have in mind.
>
>> allow a packaged Web application such as widgets
>
> 4. Typo section 8,  in note: Signign
>
> Regarding process, some of the changes and deletions remove material
> that was added through decision of the WG earlier - although to me it
> appears to be  an improvement. So we need WG to agree to accept
> changes.  Given that the conformance targets have been redefined, that
> normative language has been removed or changed, is another full Last
> Call (3 weeks) be required?  Maybe, but I'm not sure since apart from
> the questions above it looks like the same net effect on
> implementations.
>
> Thanks
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>

Received on Monday, 3 May 2010 14:31:18 UTC