Updated Editors Draft of Widgets Digital Signatures

2008-12-17 Thread Frederick Hirsch
sections Additional minor editorial update regards, Frederick Frederick Hirsch Nokia On Dec 16, 2008, at 5:43 AM, ext Thomas Roessler wrote: I suggest to remove the editorial note currently present in section 8 of the Editor's Draft. Instead, add the following to the Security

widgets signature abstract - proposed change

2008-12-17 Thread Frederick Hirsch
Frederick Hirsch Nokia

Re: widgets signature abstract - proposed change

2008-12-19 Thread Frederick Hirsch
I have updated the Editors Draft of Widgets Digital Signatures with the revised abstract and the URI for RSA-SHA256. regards, Frederick Frederick Hirsch Nokia On Dec 17, 2008, at 7:19 PM, Frederick Hirsch wrote: Suggested changes to widgets signature Abstract: Change Prior

Update to Widgets Signatures Editors Draft

2009-01-05 Thread Frederick Hirsch
not change the XML Signature namespace. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/

Comments on Widgets 1.0 Security requirements

2009-01-05 Thread Frederick Hirsch
to earlier nonce information. That is all for now, though I may have missed something. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-reqs/

Re: Comments on Widgets 1.0 Security requirements

2009-01-07 Thread Frederick Hirsch
Mark Some more discussion inline, thanks for taking the time to review. Do you mind updating the draft with the items we agree? regards, Frederick Frederick Hirsch Nokia On Jan 7, 2009, at 11:03 AM, ext Priestley, Mark, VF-Group wrote: Hi Frederick, Thanks for your comments. As someone

Updated Signature Properties Draft

2009-01-08 Thread Frederick Hirsch
list. Note that this document is subject to change, based on discussion in XML Security WG This should close XML Security WG ACTION-129 Thank you regards, Frederick Frederick Hirsch Nokia [1] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html

Proposed changes to Widgets Signatures

2009-01-08 Thread Frederick Hirsch
using separate libraries?) regards, Frederick Frederick Hirsch Nokia [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html

updates Widgets 1.0 Digital Signatures

2009-01-08 Thread Frederick Hirsch
the proposed changes for (2) and (4) in [1] tomorrow, unless I hear objection by tomorrow morning, so as to get a more complete draft, which I will expect will still require additional review. regards, Frederick Frederick Hirsch Nokia [1] plan to add proposed items (2) and (4) in http

Updated Widget Signature Editors draft

2009-01-11 Thread Frederick Hirsch
, and decisions related to algorithms. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ [2] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0042.html [3] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0040.html

updated Widgets Signature and properties

2009-01-16 Thread Frederick Hirsch
Begin forwarded message: From: Frederick Hirsch frederick.hir...@nokia.com Date: January 16, 2009 12:04:43 PM EST To: XMLSec WG Public List public-xml...@w3.org Cc: Frederick Hirsch frederick.hir...@nokia.com Subject: updated Widgets Signature and properties I've updated the Widgets

Re: Comments on Widgets 1.0 Security requirements

2009-01-20 Thread Frederick Hirsch
, Frederick Frederick Hirsch Nokia On Jan 19, 2009, at 7:48 AM, ext Marcos Caceres wrote: Hi Frederick, I've updated the requirements document wrt the suggestions you have made. However, I have not yet included the new requirements as I need to consider them a bit more before I do so

Re: [widgets] Getting synch'ed up on Widgets Digital Signatures

2009-02-04 Thread Frederick Hirsch
additional thoughts on these requirements. regards, Frederick Frederick Hirsch Nokia On Feb 4, 2009, at 3:49 PM, ext Thomas Roessler wrote: On 4 Feb 2009, at 21:45, Arthur Barstow wrote: * Is supporting OCSP and CRL a MUST for v1? Just for clarity, there are two possible requirements around

Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec

2009-02-11 Thread Frederick Hirsch
of possible signature usage/role types and/or signers to be handled, will rules be expressed in terms of usage/role (e.g. distributor) and what else? The model is not clear to me. regards, Frederick Frederick Hirsch Nokia On Feb 6, 2009, at 10:51 AM, ext Priestley, Mark, VF-Group wrote: Hi

widgets 1.0 requirements suggestion

2009-02-12 Thread Frederick Hirsch
checks related to the signature key information, without necessarily validating the referenced widget content at that time. Risks associated with separating time of verification and validation steps may need consideration. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006

Re: Using different widget signature roles

2009-02-19 Thread Frederick Hirsch
1.1 and Properties to be published as First Public Working Draft very soon, barring any last minute difficulties. regards, Frederick Frederick Hirsch Nokia On Feb 17, 2009, at 6:01 AM, ext Priestley, Mark, VF-Group wrote: Hi Frederick, Just thought I'd try and help with the generation

Updated Widgets 1.0 Signature editors draft

2009-02-24 Thread Frederick Hirsch
since we are discussing this item on the mailing list. Thanks regards, Frederick Frederick Hirsch Nokia

Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec

2009-02-24 Thread Frederick Hirsch
for signatures to be added or removed and hence a secure channel for widget delivery might be preferable. regards, Frederick Frederick Hirsch Nokia On Feb 6, 2009, at 10:51 AM, ext Priestley, Mark, VF-Group wrote: Hi Marcos, More responses to your comments below (marked [mp]). Still need

Re: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property

2009-02-24 Thread Frederick Hirsch
believe that is specific to Widget Signature. regards, Frederick Frederick Hirsch Nokia On Feb 13, 2009, at 8:26 AM, ext Marcos Caceres wrote: 2009/2/12 Priestley, Mark, VF-Group mark.priest...@vodafone.com: [mp] As a general comment, I think this is a pretty difficult problem

Re: Review of latest Widget Signature Draft

2009-02-25 Thread Frederick Hirsch
Thomas Thanks for the careful review. comments inline regards, Frederick Frederick Hirsch Nokia On Feb 25, 2009, at 7:06 AM, ext Thomas Roessler wrote: In reviewing the latest draft, a couple of comments. Widgets 1.0: Digital Signatures Editor's Draft 23 February 2009 http

Re: ACTION-306: Trust anchors

2009-02-25 Thread Frederick Hirsch
this could be conveyed out of band and it might not always be appropriate to include in every signature. Thoughts on this one? regards, Frederick Frederick Hirsch Nokia On Feb 25, 2009, at 9:23 AM, ext Thomas Roessler wrote: I propose that we add te following text in the beginning of 6.2

Re: [widgets] Digsig optimization

2009-02-27 Thread Frederick Hirsch
and calculate the reference hashes once, eliminating that overhead if it were a concern. regards, Frederick Frederick Hirsch Nokia On Feb 27, 2009, at 6:48 AM, ext Marcos Caceres wrote: Hi Frederick, Mark, I have a concern wrt the author signature. It seems that both the author signature

Additional Widgets 1.0 Digital Signatures updates

2009-03-02 Thread Frederick Hirsch
/Public/public-webapps/2009JanMar/0548.html Remaining to do item is to add additional signature properties including signature id, expires/timestamp. regards, Frederick Frederick Hirsch Nokia

Re: Review of latest Widget Signature Draft

2009-03-03 Thread Frederick Hirsch
for ID based references + Timestamp and serial number, expiration As you note the issue of second hash algorithm might be more difficult and may also depend on XML Signature 1.1 decisions, so that has not also been addressed. Thanks regards, Frederick Frederick Hirsch Nokia On Feb 25, 2009

Re: numbering

2009-03-05 Thread Frederick Hirsch
. signature01.xml to signature09.xml. --- Does this make sense? regards, Frederick Frederick Hirsch Nokia On Mar 5, 2009, at 9:15 AM, ext timeless wrote: http://dev.w3.org/2006/waf/widgets-digsig/#locating-signatures 4.3 If the signatures list is not empty, sort the list of signatures

Re: [widgets] Minutes from 5 March 2009 Voice Conference

2009-03-05 Thread Frederick Hirsch
I updated the style for code items in the Digital Signature specification to brown. Does this work better? It does not conflict with other color uses as far as I can tell. Please look at http://dev.w3.org/2006/waf/widgets-digsig/ (refresh) regards, Frederick Frederick Hirsch Nokia

Re: [widgets] Minutes from 5 March 2009 Voice Conference

2009-03-05 Thread Frederick Hirsch
yes that has been the case ever since I've started working on this. Perhaps there is a W3C standard stylesheet we should be using. I'm not sure why the spec defines its own styles regards, Frederick Frederick Hirsch Nokia On Mar 5, 2009, at 11:45 AM, Kapyaho Jere (Nokia-D-MSW/Tampere

Updated Widgets 1.0 Signature editors draft

2009-03-05 Thread Frederick Hirsch
are possible changes related to Thomas's comments re ID reference language and additional properties. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/

Re: [widgets] Minutes from 5 March 2009 Voice Conference

2009-03-05 Thread Frederick Hirsch
how about simple italics for code? I'll also look into reducing body text regards, Frederick Frederick Hirsch Nokia On Mar 5, 2009, at 11:59 AM, Hirsch Frederick (Nokia-CIC/Boston) wrote: yes that has been the case ever since I've started working on this. Perhaps there is a W3C standard

Re: Widget Signature update

2009-03-09 Thread Frederick Hirsch
I updated section 4 to correspond to this: If the signatures list is not empty, sort the list of signatures by the file name field in ascending numerical order (e.g.signature1.xml followed by signature2.xml followed by signature3.xml etc). regards, Frederick Frederick Hirsch Nokia

widget signature proposed change: ABNF

2009-03-12 Thread Frederick Hirsch
. January 2008./dd Unless I hear otherwise by Monday, I will make this change to the editors draft. If you agree with the change please let me know. Thanks regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ On Mar 12, 2009, at 9:43 AM, Kapyaho Jere (Nokia-D

Re: widget signature proposed change: ABNF

2009-03-12 Thread Frederick Hirsch
-zero-range to hex? That would match the RFC approach... regards, Frederick Frederick Hirsch Nokia On Mar 12, 2009, at 12:06 PM, ext Marcin Hanclik wrote: Hi Frederick, One line of the ABNF quoted below could be adjusted to match RFC5234: 3.4. Value Range Alternatives: %c##-##. non-zero

Revised Proposal for Widget Signature ABNF

2009-03-12 Thread Frederick Hirsch
Backus-Naur FormABNF/abbr/cite/a. D. Crocker and P. Overell. January 2008./dd Unless I hear otherwise by Monday, I will make this change to the editors draft. If you agree with the change please let me know. Thanks regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf

Re: Revised Proposal for Widget Signature ABNF

2009-03-13 Thread Frederick Hirsch
-as elements c-nl ; continues if next line starts ; with white space Thanks. Kind regards, Marcin From: Frederick Hirsch [frederick.hir...@nokia.com] Sent: Thursday, March 12, 2009 10:15 PM

Widget Signature Proposal: Add constraints on ds:Reference URIs

2009-03-13 Thread Frederick Hirsch
. May 2001.http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/ regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ [2] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0547.html

Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update)

2009-03-13 Thread Frederick Hirsch
Mark Thanks for your review, I have some comments inline. Thomas, can you please review my proposed change to the security considerations text Mark mentioned? Thanks regards, Frederick Frederick Hirsch Nokia On Mar 12, 2009, at 12:53 PM, ext Priestley, Mark, VF-Group wrote: Hi

[widgets-digsig] Editors Draft update and open issues

2009-03-16 Thread Frederick Hirsch
- SHA-256 and RSA-SHA-256. c) I suggest removing the restatement of algorithm requirements in section 7.1 , specifically remove #5a and #5b. Are there any other changes needed that we are aware of? Thanks regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/

Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update)

2009-03-17 Thread Frederick Hirsch
signatures. It should be possible to build a user agent that only processes signatures and is unaware any other of the widget 1.0 specifications. [Comment] by application do you mean widget user agent? as above. -- Marcos Caceres http://datadriven.com.au regards, Frederick Frederick Hirsch

Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update)

2009-03-17 Thread Frederick Hirsch
as possible. regards, Frederick Frederick Hirsch Nokia On Mar 17, 2009, at 7:22 AM, ext Marcos Caceres wrote: On Mon, Mar 16, 2009 at 12:17 PM, Thomas Roessler t...@w3.org wrote: I'd suggest this instead: Implementations should be careful about trusting path components found in the zip archive

Re: [widgets] Comments on Widget Signature update (was RE: Widget Signature update)

2009-03-17 Thread Frederick Hirsch
://dev.w3.org/2006/waf/widgets/#zip-relative-paths regards, Frederick Frederick Hirsch Nokia

[widget-digsig] zip relative path update

2009-03-18 Thread Frederick Hirsch
, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ On Mar 17, 2009, at 8:15 AM, ext Marcos Caceres wrote: Hi Frederick, On 3/17/09 1:01 PM, Frederick Hirsch wrote: The latest draft includes the revised text from Thomas. Marcos, are you suggesting we add

[widget-digsig] proposed change to 7.1, common constraints, for algorithms

2009-03-18 Thread Frederick Hirsch
of the recommended key length Does this change make sense? Do you have any suggestion or comment? Thanks for the careful review of the draft. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/ [mp] While this is better I think it misses the fact that we are strongly

[widgets-digsig] Updated 5.1 with revised Reference constraint text

2009-03-18 Thread Frederick Hirsch
additional comment or corrections. Thanks Marcos for suggestions to this wording. (Also removed Inc from Nokia in title page) regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/

[widget-digsig] changed widget signature files processing rule in section 4

2009-03-18 Thread Frederick Hirsch
or correction. The latest draft also changes all usage of widget user agent to user agent. regards, Frederick Frederick Hirsch Nokia On Mar 16, 2009, at 4:46 PM, ext Priestley, Mark, VF-Group wrote: [mp] My view is that whether zero, one or more signatures is processed is up to the widget user

[widget-digsig] Editors note to be added to widget signature

2009-03-19 Thread Frederick Hirsch
of XML SIgnature 1.1. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/#algorithms

RE: [widget-digsig] proposed change to 7.1, common constraints, for algorithms

2009-03-19 Thread Frederick Hirsch
length defined for each algorithm but can defer for now. Will this change of sentence work ? Thanks regards, Frederick Frederick Hirsch Nokia (for some reason this message of yours did not reach my personal inbox, but it was on the list) Hi Frederick, I agree with all of your changes

[widget-digsig] Editorial update of Widget Signature

2009-03-19 Thread Frederick Hirsch
earlier that we would add this material. 4. Changed Security Policy to lowercase as appropriate. This should complete all my editorial actions before publication. Please review and let me know of any corrections or noted omissions. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org

Re: [widget-digsig] Editorial update of Widget Signature

2009-03-19 Thread Frederick Hirsch
Completed additional changes to Editorial note in section 6, added links to XML Security WG home page, list of comments on FPWD and mailto link for comments on XML Signature 1.1. Also fixed editorial nit, final set to a final set regards, Frederick Frederick Hirsch Nokia On Mar 19, 2009

Re: [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
Marcos I checked in another revision to fix the broken link in 7. 2 (last sentence included s in span) and to fix various validation errors. The latest revision looks ok to me now, version 1.85 of Overview.src.html, version 1.93 of Overview.html regards, Frederick Frederick Hirsch

additional widgets signature fix

2009-03-26 Thread Frederick Hirsch
I fixed one additional ordered list nit in widgets signature, so it validates correctly. When published the document date will need to be updated to the publication date. regards, Frederick Frederick Hirsch Nokia

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
the same signing key are from the same party . regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:14 PM, ext Hillebrand, Rainer wrote: Hi Marcos! I agree with your suggestions. Best Regards, Rainer --- Sent from my mobile device

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
I think the draft provides enough assurance for the intended level of use. If you want higher levels of assurance more will be required, but I don't believe we have a requirement here for that. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:20 PM, ext Hillebrand, Rainer

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
as policy and other such important considerations, which we have not detailed in the specification. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 5:06 PM, ext Marcin Hanclik wrote: Hi, I support this view. In the whole design of various widget signatures it seems

Re: [BONDI Architecture Security] [widgets] new digsig draft, further comments

2009-03-27 Thread Frederick Hirsch
Marcin [removed cross-posting, since my posting would fail anyway] comments inline regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 5:27 AM, ext Marcin Hanclik wrote: Hi Marcos, These are my further comments to the DigSig spec: 1. There is no section about typographic

Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-27 Thread Frederick Hirsch
Marcin Thanks, for the careful review. some comment inline [removed cross post, fails anyway] regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 2:04 PM, ext Marcin Hanclik wrote: Hi Marcos, All, Please find below my - mostly editorial - comments to the latest digsig

Re: [BONDI Architecture Security] [widgets] new digsig draft, further comments

2009-03-27 Thread Frederick Hirsch
... also, ok with your proposed change Within a widget package these signature files MUST be ordered based on the numeric portion of the signature file name. regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 9:41 AM, ext Marcin Hanclik wrote: Hi Frederick, Thanks for your review

Re: [widgets] Author

2009-03-27 Thread Frederick Hirsch
No I agree, we are trying to stay away from legal statements , that requires much more. regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 10:40 AM, ext Marcin Hanclik wrote: Hi Frederick, re author, would the term creator in the sentence from Thomas help, this probably

Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-27 Thread Frederick Hirsch
comments inline, thanks for reviewing this regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 1:26 PM, ext Hillebrand, Rainer wrote: Dear Marcos, I hope to have less critical comments than in my last feedback email. 1. Section 7.1: change The ds:SignatureMethod algorithm used

Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-27 Thread Frederick Hirsch
I think we should remove it. Also, I revised the e.g. as follows ... undesireable and security relevant effects, such as overwriting of startup or system files. regards, Frederick Frederick Hirsch Nokia On Mar 27, 2009, at 2:00 PM, ext Hillebrand, Rainer wrote: Dear Frederick, I

[widget-digsig] Updated Editors Draft of Widget Signature

2009-03-27 Thread Frederick Hirsch
. Removed trust anchor text in 7.3: The set of acceptable trust anchors, and policy decisions based on the signer's identity are established through a security-critical out- of-band mechanism. http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0982.html regards, Frederick Frederick

[widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

2009-04-08 Thread Frederick Hirsch
be required in Widget Signature. Please share this additional information in your organization and indicate if it would cause any change in position regarding the mandatory to implement algorithms. Thank you regards, Frederick Frederick Hirsch, Nokia Chair XML Security WG [1] http://lists.w3

Re: ISSUE-83 (digsig should not be read at runtime): Instantiated widget should not be able to read digital signature [Widgets]

2009-04-14 Thread Frederick Hirsch
+1 I do not understand the attack, but can envision cases where precluding access could cause problems. Examples might be user see what is signed or access to signature properties. Is this an access control issue rather than a general specification rule? regards, Frederick Frederick

Re: [widgets] Jar signing vs. XML signatures

2009-04-15 Thread Frederick Hirsch
. So apart from personal preference I do not see why a change is needed. regards, Frederick Frederick Hirsch Nokia On Apr 15, 2009, at 3:00 PM, ext Jonas Sicking wrote: On Tue, Apr 14, 2009 at 4:38 AM, Marcos Caceres marc...@opera.com wrote: Although I agree that it was probably a short

Proposal for ISSUE-83

2009-04-21 Thread Frederick Hirsch
[Widgts-DigSig] specification, in which case the user agent MUST make signature documents available to the implementation of the [Widgets-DigSig] specification. This message should complete ACTION-329 which should be closed. regards, Frederick Frederick Hirsch Nokia

Re: [widget] [widget-digsig] Comment on WD of Widgets 1.0: Digital Signatures - use of Created property

2009-04-21 Thread Frederick Hirsch
if there is no need for the Created property in the Widgets Signature spec I suggest we remove it, though keep what we have in the Signature Properties specification. regards, Frederick Frederick Hirsch Nokia On Apr 15, 2009, at 5:45 AM, ext Priestley, Mark, VF-Group wrote: Dear All

Re: [widgets] Agenda for 23 April 2009 Voice Conference

2009-04-22 Thread Frederick Hirsch
of Signature Properties, thus remove section 9 from widget signature http://dev.w3.org/2006/waf/widgets-digsig/#sigproperties any other comments received that we might have missed? regards, Frederick Frederick Hirsch Nokia On Apr 22, 2009, at 7:36 AM, Barstow Art (Nokia-CIC/Boston) wrote

Re: [widgets] Agenda for 23 April 2009 Voice Conference

2009-04-22 Thread Frederick Hirsch
I agree that the sentence should be dropped. I'll take an editorial pass today to remove that sentence, address the agreed changes on Mark's editorial comments and to remove the Created material. Thanks for noting this one. regards, Frederick Frederick Hirsch Nokia On Apr 22, 2009

Re: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31

2009-04-22 Thread Frederick Hirsch
don't think we can always expect creation of a physical file for processing. Suggest not making any change here. regards, Frederick Frederick Hirsch Nokia On Apr 22, 2009, at 6:45 AM, ext Marcos Caceres wrote: On Tue, Apr 21, 2009 at 11:14 PM, Frederick Hirsch frederick.hir...@nokia.com wrote

[widget-digsig] updated Widget Signature editors draft

2009-04-22 Thread Frederick Hirsch
in general. regards, Frederick Frederick Hirsch Nokia

Re: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31

2009-04-22 Thread Frederick Hirsch
and also to see if any new mistakes have been introduced. regards, Frederick Frederick Hirsch Nokia On Apr 22, 2009, at 5:53 PM, ext Priestley, Mark, VF-Group wrote: Thanks Frederick and Marcos - responses inline. Only a couple of questions left :) Regards, Mark -Original Message- From

Re: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31

2009-04-23 Thread Frederick Hirsch
I've added this to the Widgets Signature specification. regards, Frederick Frederick Hirsch Nokia On Apr 23, 2009, at 3:18 AM, ext Priestley, Mark, VF-Group wrote: Thanks Frederick! -Original Message- From: Frederick Hirsch [mailto:frederick.hir...@nokia.com] Sent: 22 April 2009

Re: [widget-digsig] Pls review: Additional considerations on elliptic curve algorithms to consider

2009-04-23 Thread Frederick Hirsch
I agree . Also to be clear Mark, I believe you are saying VF supports a MUST in the XML Signature 1.1 specification. regards, Frederick Frederick Hirsch Nokia On Apr 23, 2009, at 8:15 AM, ext David Rogers wrote: Marcos, Surely the logic should support algorithm evolution in that way

[widget-digsig] Updated Widget Signature editors draft

2009-04-23 Thread Frederick Hirsch
Added FIPS-186-3 reference http://dev.w3.org/2006/waf/widgets-digsig/ Note that we will need to update the Signature Properties reference, when that specification is published with this specification. regards, Frederick Frederick Hirsch Nokia

Updates to Widget Signature

2009-04-28 Thread Frederick Hirsch
issues with these changes or any other corrections by tomorrow morning Eastern time. Thank you regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-digsig/#naming-convention-for-an-author-signature and http://dev.w3.org/2006/waf/widgets-digsig/#naming-convention

Re: [widgets] Dig Sig review in prep for LC

2009-04-29 Thread Frederick Hirsch
+1 I don't see the need for that paragraph. regards, Frederick Frederick Hirsch Nokia On Apr 29, 2009, at 6:36 AM, ext Thomas Roessler wrote: Hi Frederick, Some tiny editorial changes I think we should add the following sub-section to the Status of This Document: [[ h3 class=no-num

Re: [widgets] Dig Sig review in prep for LC

2009-04-29 Thread Frederick Hirsch
comments inline, including proposals. thanks for the review regards, Frederick Frederick Hirsch Nokia On Apr 29, 2009, at 4:01 AM, ext Marcos Caceres wrote: Hi Frederick, Some tiny editorial changes I think we should add the following sub-section to the Status of This Document

Re: [widgets] dig sig and requirements ready for pub!

2009-05-05 Thread Frederick Hirsch
I was aware of what you quoted Marcos, but it was implicit. If it is ok, then I'm not sure why we've been having this email thread... regards, Frederick Frederick Hirsch Nokia On May 5, 2009, at 6:38 AM, ext Marcos Caceres wrote: On Tue, May 5, 2009 at 12:33 PM, Arthur Barstow art.bars

[widgets-digsig] minor editorial update

2009-05-07 Thread Frederick Hirsch
://dev.w3.org/2006/waf/widgets-digsig/#algorithms regards, Frederick Frederick Hirsch Nokia

Re: [widgets] dig sig and requirements ready for pub!

2009-05-07 Thread Frederick Hirsch
I assume this issue is closed with no need to add this text, given the subsequent thread. If this is incorrect please note that on the list. Thanks regards, Frederick Frederick Hirsch Nokia On May 5, 2009, at 6:33 AM, Barstow Art (Nokia-CIC/Boston) wrote: On May 4, 2009, at 10:13 AM

Re: Reminder: Comments for LCWD of Widgets 1.0: Digital Signatures due June 1

2009-06-04 Thread Frederick Hirsch
XML Signature 1.1 notes that the order of certificates in X.509Data is not specified. http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-X509Data Is this really expected to be an issue, with long cert chains? regards, Frederick Frederick Hirsch Nokia On Jun 4, 2009

Re: Widgets 1.0: Digital Signatures

2009-06-04 Thread Frederick Hirsch
Thanks for the review Josh. These all look editorial to me and I assume we can handle them during CR. regards, Frederick Frederick Hirsch Nokia On Jun 4, 2009, at 9:30 AM, ext timeless wrote: Hi, apologies for the late comments. I hope all of my comments are of an editorial nature

Re: Reminder: Comments for LCWD of Widgets 1.0: Digital Signatures due June 1

2009-06-08 Thread Frederick Hirsch
XML Signature 1.1 should be referenced. It defines the URI for the algorithms, context for use in XML Signature, and references etc. regards, Frederick Frederick Hirsch Nokia On Jun 8, 2009, at 8:30 AM, ext Marcin Hanclik wrote: Hi Marcos, Also, DSA-SHA-1, RSA-SHA-256, and ECDSA-SHA

Re: Reminder: Comments for LCWD of Widgets 1.0: Digital Signatures due June 1

2009-06-08 Thread Frederick Hirsch
call to freeze the spec but I guess not... ) regards, Frederick Frederick Hirsch Nokia On Jun 8, 2009, at 7:07 AM, ext Marcos Caceres wrote: On Thu, Jun 4, 2009 at 2:27 PM, Priestley, Mark, VF-Groupmark.priest...@vodafone.com wrote: Hi Art, All, Vodafone has some late comments which

Re: [widgets] dig sig RelaxNG schema

2009-06-25 Thread Frederick Hirsch
copying this message with the XML Security WG. Thanks regards, Frederick Frederick Hirsch, Nokia Chair XML Security WG [1] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-Schema [2] http://www.w3.org/2007/xmlsec/Drafts/xmldsig-rngschema/ On Jun 25, 2009, at 7:13 AM, ext Kai

[cors] Comments on 17 March 2009

2009-06-30 Thread Frederick Hirsch
adhere to HTTP redirect semantics. as an editors note. 25 Editorial: Section 6.1 some of the spacing between items seems to need additional space 26 Editorial: Section 7.3 Replace progresing with progressing regards, Frederick Frederick Hirsch Nokia

Re: [cors] Additional Comments on 17 March 2009 cors draft

2009-06-30 Thread Frederick Hirsch
policy 3. if policy disallows then the browser does not allow the content to be used. In any case, doesn't this open an attack to get the content by sniffing the wire for the response content, regardless of the header? regards, Frederick Frederick Hirsch Nokia [1] http://arunranga.com

Re: [cors] Additional Comments on 17 March 2009 cors draft

2009-07-01 Thread Frederick Hirsch
So the issue is not confidentiality, it is inappropriate script execution. Got it. Thanks Anne regards, Frederick Frederick Hirsch Nokia On Jul 1, 2009, at 5:34 AM, ext Anne van Kesteren wrote: I might not have time to address your larger set of questions before I leave on vacation

Re: [WARP] Last Call comments (1)

2009-09-10 Thread Frederick Hirsch
. if this is correct, aren't these fundamentally different? regards, Frederick Frederick Hirsch Nokia On Aug 27, 2009, at 2:06 PM, ext Marcin Hanclik wrote: Hi All, Here are a couple of the Last Call comments to WARP LCWD [1]. They were already partially presented in my emails [2] and [3

Re: HTML extension for system idle detection.

2009-09-17 Thread Frederick Hirsch
isn't the mere knowledge of the level of activity on a device a possible privacy concern, and couldn't the pattern of activity offer a traffic analysis type opportunity? regards, Frederick Frederick Hirsch Nokia On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote: On Thu, Sep 17, 2009

Re: Widget DigSign: Example of a distributor signature document is buggy

2009-10-07 Thread Frederick Hirsch
Christian You are correct, thank you for catching this error. I have updated the editors draft accordingly. http://dev.w3.org/2006/waf/widgets-digsig/#example regards, Frederick Frederick Hirsch Nokia On Oct 6, 2009, at 9:44 AM, ext Breitschwerdt, Christian, VF-Group wrote: Hi Marcos

Re: Widget DigSign: Example of a distributor signature document is buggy

2009-10-08 Thread Frederick Hirsch
in the widget package, syntax correctness, presence of required property elements, and use of Role attribute for author and distributor signatures. 2. Signature value verification when specific algorithms are used for a given input. regards, Frederick Frederick Hirsch Nokia On Oct 8

Proposed additional topic for joint DAP/WebApps Widgets F2F session

2009-10-29 Thread Frederick Hirsch
WG from everyone who can help the DAP WG and I'd like to make sure that somehow we have this discussion during TPAC. Thus Agenda topic for joint DAP/Webapps-Widget is Security Considerations, including HTML5. regards, Frederick Frederick Hirsch, Nokia Co-Chair, W3C DAP Working Group

Re: Proposed additional topic for joint DAP/WebApps Widgets F2F session

2009-10-29 Thread Frederick Hirsch
David Would it be possible for you to summarize what you think the issue is, as far as architecture and technical disparities, as a first step? regards, Frederick Frederick Hirsch Nokia On Oct 29, 2009, at 11:54 AM, ext David Rogers wrote: Hi, As discussed on the webapps call

Re: Rename “File API” to “FileReader API”?

2009-11-11 Thread Frederick Hirsch
as an integral part of API development, while also developing policy mechanisms, thus I do not think the view you mention is widely held. regards, Frederick Frederick Hirsch Nokia On Nov 10, 2009, at 8:47 PM, ext Maciej Stachowiak wrote: On Nov 10, 2009, at 3:09 AM, Robin Berjon wrote: On Nov 10

Re: DAP and security (was: Rename File API to FileReader API?)

2009-11-18 Thread Frederick Hirsch
directories are for or where to navigate). Arbitrary directory navigation for writing files is not a good idea. More importantly we have to be careful with analogies. regards, Frederick Frederick Hirsch Nokia On Nov 18, 2009, at 3:14 PM, ext Jonas Sicking wrote: On Wed, Nov 18, 2009 at 5:27

Re: Security evaluation of an example DAP policy

2009-11-20 Thread Frederick Hirsch
. Do we need to go into more detail on these two (as examples)? regards, Frederick Frederick Hirsch Nokia On Nov 20, 2009, at 9:15 AM, ext Jeremy Orlow wrote: These are reasons, but I think the greatest cause of our concern is that we have not seen any examples of how policies can provide

Re: Security evaluation of an example DAP policy

2009-11-20 Thread Frederick Hirsch
detail on the use cases or additional use cases? regards, Frederick Frederick Hirsch Nokia On Nov 20, 2009, at 10:12 AM, ext Marcin Hanclik wrote: Hi, Reliably identified Websites can send and receive SMS except to premium rate numbers. There seems to be no worldwide pattern to recognize

Re: [WARP4U] WARP with UPnP, was: RE: [widgets] Draft Minutes for 19 November 2009 Voice Conference

2009-12-03 Thread Frederick Hirsch
+1, duplicating material is a recipe for disaster. regards, Frederick Frederick Hirsch Nokia On Dec 2, 2009, at 8:22 AM, ext Robin Berjon wrote: On Dec 1, 2009, at 22:22 , Marcin Hanclik wrote: Can you please update this to just be a delta? As far as I know W3C specs, delta documents

Re: [widgets] DigSig - proposed change to XML Signature Properties

2010-01-07 Thread Frederick Hirsch
that Signature Properties is about to enter Last Call. regards, Frederick Frederick Hirsch Nokia [1] http://www.w3.org/2005/10/Process-20051014/tr.html#cfi On Jan 7, 2010, at 2:17 PM, Barstow Art (Nokia-CIC/Boston) wrote: The XML Security WG is considering changing the syntax of the Profile

Editorial Update: Signature Properties

2010-01-08 Thread Frederick Hirsch
to date. This should not break any implementations but make it easier to find and work with the schema. Comments/corrections welcome. Thanks regards, Frederick Frederick Hirsch Nokia Begin forwarded message: From: Hirsch Frederick (Nokia-CIC/Boston) frederick.hir...@nokia.com Date

  1   2   >