The minutes from the WAF WG's June 5 Widgets voice conference are
available at the following and copied below:
<http://www.w3.org/2008/06/05-waf-minutes.html>
WG Members - if you have any comments, corrections, etc., please send
them to the public-appformats mail list before June 12; otherwise the
minutes will be considered approved.
-Regards, Art Barstow
[1]W3C
[1] http://www.w3.org/
- DRAFT -
Widgets Voice Conference
05 Jun 2008
[2]Agenda
[2] http://lists.w3.org/Archives/Member/member-appformats/
2008Jun/0000.html
See also: [3]IRC log
[3] http://www.w3.org/2008/06/05-waf-irc
Attendees
Present
Art, Arve, Thomas, Arve, Marcos, Ben
Regrets
Claudio
Chair
Art
Scribe
Art
Contents
* [4]Topics
1. [5]Review Agenda
2. [6]reusing TLS certs for Widgets
3. [7]Digital Signal spec - open issues
4. [8]widget: scheme
5. [9]Web Apps Charter update
6. [10]Next F2F Meeting
* [11]Summary of Action Items
_________________________________________________________
<arve> I'm having some trouble calling in
<arve> as in, it doesn't seem to set me up
Date: 5 June 2008
<scribe> Scribe: Art
<scribe> ScribeNick: ArtB
Review Agenda
AB:
[12]http://lists.w3.org/Archives/Member/member-appformats/2008Jun/00
00.html
... above is today's agenda
... Any change requests for the agenda?
[12] http://lists.w3.org/Archives/Member/member-appformats/
2008Jun/0000.html
[none]
reusing TLS certs for Widgets
AB: lastest ED is [13]http://dev.w3.org/2006/waf/widgets-digsig/
[13] http://dev.w3.org/2006/waf/widgets-digsig/
ABe: I have a specific question
... when establishing a root cert, can the SSL root cert be re-used
... thus vendors don't have to have to separate root certs
MC: I know Verisign sells a variety of certs
... and one is for code signing
... Y! is the only vendor that is doing signing
... I can look at what they are doing and report back
... Benoit has also done some work in this area
TLR: with XML Sign would use X509
... a) will Widget engine reuse certs
<marcos> Vista side bar: We might want to have a look at
[14]http://blog.eqinox.net/jed/articles/1707.aspx
[14] http://blog.eqinox.net/jed/articles/1707.aspx
<marcos> (Benoit sent me that link)
TLR: b) the question is whether there might be reservations from the
CAs; we should probably talk to them
... I believe code signing certs to be more expensive
... it may make sense to keep them separate but at the end of the
day it's a policy decision
AB: decision on behalf of the widget engine vendor?
TLR: yes but the CA too
... the decision is independent of whether or not XML Sig is used
<marcos> To quote Yahoo: "If you sign your Widget with a
code-signing certificate issued by VeriSign, we can also verify the
authenticity of the certificate itself. We intend to support more
certificate authorities in future releases."
TLR: yes, a web server cert can be taken over thus it makes sense
from a security perspective for them to use a separate code-signing
cert
... different uses cases really
ABe: OK, this discussion was helpful
... I think we may have more questions later
AB: with the proviso I'm not an expert in this area, it's not clear
we need to mandate anything
TLR: we may want to say code-signing certs are mandatory
<marcos> Another interesting link:
[15]http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2015994&Si
teID=1
[15] http://forums.microsoft.com/MSDN/ShowPost.aspx?
PostID=2015994&SiteID=1
TLR: but it could create some interop problems
... For a code-signing cert, may want a different type of validation
for the party that does the signing
... CAs may not want certs intended for TLS being re-used for
widgets
... we really should get a CA or two at the table to discuss this
AB: which security-related WGs can we contact?
TLR: Philip Halam-Baker from Versigin is one person
... there are ... GoDaddy is a W3C member company with a CA business
as well ...
... Art could send an e-mail to the AC reps of the CAs
... mobile people are doing related work
BW: our security guy is active in OMTP and made a related proposal
AB: can we get that proposal?
ACTION Worthington see if VF's signing input to OMTP can be shared
with WAF
<trackbot> Created ACTION-181 - See if VF's signing input to OMTP
can be shared with WAF [on Ben Worthington - due 2008-06-12].
ACTION Barstow contact the CAs regarding the reuse of TLS certs for
Widgets
<trackbot> Created ACTION-182 - Contact the CAs regarding the reuse
of TLS certs for Widgets [on Arthur Barstow - due 2008-06-12].
TLR: GoDaddy is one of the CAs I mentioned that is a member
AB: OK, thanks
Digital Signal spec - open issues
AB: [16]http://dev.w3.org/2006/waf/widgets-digsig/
... we have several open issues in the latest ED
... we can use this an opportunity to get feedback from Thomas
... would like to understand our plan to address these issues
[16] http://dev.w3.org/2006/waf/widgets-digsig/
MC: we have a request to support signatures from multiple people
... also an open issue regarding certificate chaining
AB: regarding multiple signing, what's the current state?
MC: the only widget engine vendor is Y! and they aren't doing
anything here
... in the mobile world, Java supports multiple signatures
... I would also like to understand Apple's model
<marcos> MC: iphone apps
ACTION Barstow investigate Java model for multiple signatures
<trackbot> Created ACTION-183 - Investigate Java model for multiple
signatures [on Arthur Barstow - due 2008-06-12].
AB: where did the signature chain requirement come from?
MC: there is no requirement but it is something XML Signature
supports
TLR: yes, could have a list of certs that needs to be walked up
... more of X509 property
... could say all intermediate certs need to be there
<marcos> TLR: it might be best to just have the X.509 cert data be
put into the <x509data> element as a single block
<marcos> Mc: I agree
AB: is there a follow-up issue/action?
MC: no, we just need to spec the model
AB: the new XML Security WG includes in its Charter a liaison with
WAF
TLR: the XML Security Maintenance WG will end at the end of June
... it is slowly ramping up
<marcos> :)
TLR: thus use the Maintenance WG mail list now for communication
AB: are there other issues to discuss today, Marcos?
MC: I think we've covered the main issues
TLR: two more points
... 1. should probably add a timestamp
... 2. regarding transform, it turns out its not well-defined
... do you have any more clarity?
MC: no; as you say it's not well-defined
TLR: think we need to investigate this more
MC: it would be helpful if I knew exactly what to look for
TLR: perhaps look at the deflate algorithm
MC: are you signing the compressed blob or not
... for v1 could say you must do it this way; and then for v2 we
could add the transform if there is a request for it
<tlr> TR: Not having the transform sounds like it wants an
additional security consideration; happy to provide that.
<tlr> ACTION: roessler to contribute security considerations for
decompression and signature validation [recorded in
[17]http://www.w3.org/2008/06/05-waf-minutes.html#action01]
<trackbot> Created ACTION-184 - Contribute security considerations
for decompression and signature validation [on Thomas Roessler - due
2008-06-12].
<marcos> A
<marcos> ACTION: Marcos to add timestamp element to widget dig sig
spec [recorded in
[18]http://www.w3.org/2008/06/05-waf-minutes.html#action02]
<trackbot> Created ACTION-185 - Add timestamp element to widget dig
sig spec [on Marcos Caceres - due 2008-06-12].
widget: scheme
AB: Marcos made a proposal
[19]http://lists.w3.org/Archives/Public/public-appformats/2008May/00
88.html
... we received lots of comments, even from TBL
[19] http://lists.w3.org/Archives/Public/public-appformats/
2008May/0088.html
MC: I think some people hadn't read the spec yet they commented
anyway
... the proposal to use http scheme just doesn't make sense for our
use
... my proposal says you can use http if you want to
... but it would mean changing the widget engine architecture
ACTION Barstow follow-up the scope issue related to the widget:
scheme thread
<trackbot> Created ACTION-186 - Follow-up the scope issue related to
the widget: scheme thread [on Arthur Barstow - due 2008-06-12].
<marcos>
[20]http://lists.w3.org/Archives/Public/public-appformats/2008May/01
40.html
[20] http://lists.w3.org/Archives/Public/public-appformats/
2008May/0140.html
<marcos> My proposal was:
[21]http://widgetengine:port/instanceID/package.wgt/path/to/resource
[21] http://widgetengine/instanceID/package.wgt/path/to/resource
AB: I think we've done a good job of keeping the TAG informed
... but if they don't read the spec and understand our use cases we
need to consider that in our disposition of their comments
MS: we do indeed need to include the TAG in such discussions
... we must get approval eventually from the Director
... thus I recommend we seriously consider any comment from the
Director
MC: I responded to Tim's email
... the ball is in his court now; he hasn't responded
MS: I don't think we need to go out of our way to ask Tim to
respond, at least not at this point
... If he feels strongly about it he surely will let us know and we
will have to deal with it
ABe: I think most of the comments were from people that didn't
understand our use case
<MikeSmith> tlr-
ABe: perhaps we should separately write up our UCs and Reqs
<marcos> The req:
[22]http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing
[22] http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing
AB: I agree with Arve
... Marcos do we have related requirements
MC: yes, we do have a requirement
<marcos> ACTION: expand requirement number 5 to be more descriptive
[recorded in
[23]http://www.w3.org/2008/06/05-waf-minutes.html#action03]
<trackbot> Sorry, couldn't find user - expand
<marcos> ACTION: Marcos to expand requirement number 5 to be more
descriptive [recorded in
[24]http://www.w3.org/2008/06/05-waf-minutes.html#action04]
<trackbot> Created ACTION-187 - Expand requirement number 5 to be
more descriptive [on Marcos Caceres - due 2008-06-12].
AB: do we want to continue this topic next week?
MC: no I don't think so
... I think we just need to document the usage better
... unless someone wants to use http:
ABe: no I don't think so
... http: scheme isn't appropriate for the Widget engine where orgin
isn't necessarily a Web site
... I don't think we should http: for things it was not intended for
... I do NOT want to use http:
AB: I support Arve's position as our continued working model
... others?
MC: I'll abstain on this
... it would add a lot of complexity; too much I think
... certainly not for v1
Web Apps Charter update
AB: any new news Mike?
MS: I don't have any new news to share
... hope to have something by next VC
AB: we are currently working with an Expired Charter
MS: yes, I know
Next F2F Meeting
AB: last week we agreed it would be in Sept
... but that was a conflict for Marcos
... new proposal: August 26-28 in Turino
... any objections?
ABe: OK with me
MC: OK with me
... and thanks all for changing the date
RESOLUTION: our next Widgets f2f meeting will be August 26-28 in
Turino hosted by Telecom Italia
AB: Meeting Adjourned
Summary of Action Items
[NEW] ACTION: expand requirement number 5 to be more descriptive
[recorded in
[25]http://www.w3.org/2008/06/05-waf-minutes.html#action03]
[NEW] ACTION: Marcos to add timestamp element to widget dig sig spec
[recorded in
[26]http://www.w3.org/2008/06/05-waf-minutes.html#action02]
[NEW] ACTION: Marcos to expand requirement number 5 to be more
descriptive [recorded in
[27]http://www.w3.org/2008/06/05-waf-minutes.html#action04]
[NEW] ACTION: roessler to contribute security considerations for
decompression and signature validation [recorded in
[28]http://www.w3.org/2008/06/05-waf-minutes.html#action01]
[End of minutes]
