RE: [widget-digsig] Updated Widget Signature editors draft
I would like to see some text cautioning authors not to rely on this algorithm, since it is optional in user agents. Agreed - in fact I think a general statement about use of optional algorithms would be beneficial -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Marcos Caceres Sent: 24 April 2009 09:46 To: Frederick Hirsch Cc: Web Applications Working Group WG Subject: Re: [widget-digsig] Updated Widget Signature editors draft Hi Frederick, Thanks for updating the spec! comment below. On Fri, Apr 24, 2009 at 3:14 AM, Frederick Hirsch frederick.hir...@nokia.com wrote: I have updated the Widget Signature draft to reflect decisions on today's call, as follows: Added ECDSAwithSHA256 as SHOULD signature algorithm I would like to see some text cautioning authors not to rely on this algorithm, since it is optional in user agents. Removed editor notes re feedback on signature algorithms Removed editor note with Signature Properties reference, since we've removed section 9 Added FIPS-186-3 reference http://dev.w3.org/2006/waf/widgets-digsig/ Note that we will need to update the Signature Properties reference, when that specification is published with this specification. regards, Frederick Frederick Hirsch Nokia -- Marcos Caceres http://datadriven.com.au
[widget-digsig] Updated Widget Signature editors draft
I have updated the Widget Signature draft to reflect decisions on today's call, as follows: Added ECDSAwithSHA256 as SHOULD signature algorithm Removed editor notes re feedback on signature algorithms Removed editor note with Signature Properties reference, since we've removed section 9 Added FIPS-186-3 reference http://dev.w3.org/2006/waf/widgets-digsig/ Note that we will need to update the Signature Properties reference, when that specification is published with this specification. regards, Frederick Frederick Hirsch Nokia
[widget-digsig] updated Widget Signature editors draft
I have updated the widget signature editors draft http://dev.w3.org/2006/waf/widgets-digsig/ 1. Removed section 9, Draft update to XML Signature Properties since XML Security WG plans to publish latest revision of Signature Properties in conjunction with next Widget Signature publication. 2. Removed all mention of Created property, removed from example 1.4, mention in 1.5, remove section 5.6, mention in 7.2 and 7.3 3. removed sentence from abstract and introduction that received negative comment: Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism 4. Implemented Editorial requests from Mark that we all agreed, including refinements from timeless, and Marcos. Note that I used signature file where talking about files specifically, and widget signature when talking about features of the XML signature itself, since otherwise it makes no sense. Dropped MAY from definition, which MAY logically contain , as suggested by Marcos. add ZIP reference to Stored usage. 5 Updated acknowledgements to thank XML Security WG and other reviewers. 6. Added proposed text to 5.1 to resolve ISSUE-83 A user agent MUST prevent a widget from accessing the contents of a digital signature document unless an access control mechanism explicitly enables such access e.g. via a an access control policy. The definition of such a policy mechanism is out of scope of this specification, but may be defined to allow access to all or parts of the signature documents, or deny any such access. 7. Fixed an internal link issue related to choice of verification versus validation of signatures. We still have some issues to resolve with links into the requirements document, and thus possibly the requirements section in general. regards, Frederick Frederick Hirsch Nokia