I suggest to remove the editorial note currently present in section 8 of the Editor's Draft.
Instead, add the following to the Security Considerations section:
The signature scheme described in this document deals with the content present inside a compressed widget package. This implies that, in order to verify a widget signature, implementations need to uncompress a data stream that can come from an arbitrary source. A signature according to this specification does <em>not</em> limit the attack surface of decompression and unpacking code used during signature extraction and verification.
Care should be taken to avoid resource exhaustion attacks through maliciously crafted Widget archives during signature verification.
Implementations that store the content of widget archives to the file system during signature verification must not trust any path components of file names present in the archive, to avoid overwriting of arbitrary files during signature verification.
(In other words, the zip archive isn't signed, and bad things might happen if signature verification is implemented naively.)
-- Thomas Roessler, W3C <[email protected]>
