RE: [widgets-digsig] Editors Draft update and open issues

[Hillebrand, Rainer]

Dear Frederick,

I agree with you and Mark to remove "Only the first distributor signature MUST 
be processed." It may depend on a security policy which is currently not 
defined. It might be the first matching signature which can be successfully 
validated with a public key that is available to the WUA. The signatures' order 
in a widget resource does not need to have any influence.

Best Regards,

Rainer

*
T-Mobile International
Terminal Technology
Rainer Hillebrand
Head of Terminal Security
Landgrabenweg 151, D-53227 Bonn
Germany

+49 171 5211056 (My T-Mobile)
+49 228 936 13916 (Tel.)
+49 228 936 18406 (Fax)
E-Mail: rainer.hillebr...@t-mobile.net

http://www.t-mobile.net

This e-mail and any attachment are confidential and may be privileged. If you 
are not the intended recipient, notify the sender immediately, destroy all 
copies from your system and do not disclose or use the information for any 
purpose. 

Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem 
Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren 
Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System 
und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu 
welchem Zweck.


T-Mobile International AG
Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman)
Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael 
Günther, Lothar A. Harings, Katharina Hollender
Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
Steuer-Nr./Tax No.: 205 / 5777/ 0518
USt.-ID./VAT Reg.No.: DE189669124
Sitz der Gesellschaft/ Corporate Headquarters: Bonn

[widgets-digsig] Editors Draft update and open issues

[Frederick Hirsch]

I have updated the Widgets Signature editors draft [1] according to  
the following, please review the changes:


1) Added ABNF update

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0731.html
and
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0732.html

See section 1.2, 5.2, 5.3 and References

2) Added ds:Reference constraint

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0742.html

See section 5.1 and References.

3) Clarified and updated security considerations text

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0750.html

See section 8.

4) Misc editorial cleanup

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0743.html

Security considerations as noted for 3, and clear editorial comments.

Throughout.

The following issues are still open (see message 743):

a) Remove "Only the first distributor signature MUST be processed." ?

I think I agree that Widgets Signature should be silent on this. if  
so, where is this going to be noted?

Agreement to remove?

b) Remove DSAwithSHA1 requirement? Status of requirement R47 (Section  
2)?
" Support for Multiple Signature Algorithms: DSA-SHA-1, RSA-SHA-1, DSA- 
SHA-256 and RSA-SHA-256."


c) I suggest removing the restatement of algorithm requirements in  
section 7.1 , specifically remove #5a and #5b.


Are there any other changes needed that we are aware of?

Thanks

regards, Frederick

Frederick Hirsch
Nokia

[1] http://dev.w3.org/2006/waf/widgets-digsig/