Hi Frederick,
I agree with all of your changes with two comments. The sentence:
"The Signature MUST be produced using a key of the recommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> "
is still problematic given that we allow (although discourage) key
lengths less than the recommended key length, and probably don't want to
rule out the use of longer keys. Suggest changing to:
"The Signature SHOULD be produced using a key of the recommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> .
The Signature MUST comply with Signature method algorithm requirements
in the Algorithms section of this document"
I also think we need to link recommended key length to algorithms now we
allow other algorithms to be used, ie if ECDSA is used it would be OK to
use shorter keys.
Thanks,
Mark
________________________________
From: Frederick Hirsch [mailto:[email protected]]
Sent: 18 March 2009 20:34
To: WebApps WG
Cc: Frederick Hirsch; Priestley, Mark, VF-Group; Marcos Caceres
Subject: [widget-digsig] proposed change to 7.1, common
constraints, for algorithms
Mark
One issue you raised was that we have MUSTS on algorithms in the
processing rules in section 7.1, but allow other algorithms in the
algorithm section with MAY.
After our previous email exchange, I suggest the following
changes to section 7.1 in Widget Signature [1] to address this concern:
(1) Change item 3b from
The Algorithm attribute of the ds:digestMethod MUST be set to a
digest algorithm specified in the Algorithms section of this document.
to
The Algorithm attribute of the ds:digestMethod MUST comply with
the digest algorithm requirements specified in the Algorithms section of
this document.
(2) Change 5a from
The Algorithm attribute of the ds:CanonicalizationMethod element
MUST be set to a Canonicalization method specified in the Algorithms
section of this document.
to
The Algorithm attribute of the ds:CanonicalizationMethod element
MUST comply with the Canonicalization method algorithm requirements
specified in the Algorithms section of this document.
(3) Change 5b from
The ds:SignatureValue element MUST contain a signature generated
using a Signature method specified in the Algorithms section of this
document and MUST use a key that is of the length of arecommended key
length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length> .
to
The Signature method algorithm used in the ds:SignatureValue
element MUST comply with Signature method algorithm requirements in the
Algorithms section of this document. The Signature MUST be produced
using a key of the recommended key length
<http://dev.w3.org/2006/waf/widgets-digsig/#recommended-key-length>
Does this change make sense? Do you have any suggestion or
comment?
Thanks for the careful review of the draft.
regards, Frederick
Frederick Hirsch
Nokia
[1] http://dev.w3.org/2006/waf/widgets-digsig/
[mp] While this is better I think it misses the fact
that we are
strongly recommending the use of certain algorithms. I
still like the
idea of including authoring (signing)
guidelines/recommendations, ie you
can sign your widget using any signature algorithm but
if you want it to
work across all W3C widget user agents use algorithm X.
Same sort of
thing for digest algorithm and key length. What do you
think?
