Hi Frederick, On Tue, Feb 24, 2009 at 11:19 PM, Frederick Hirsch <frederick.hir...@nokia.com> wrote: > The Widget Signature spec is not an API definition so probably does not need > to define how signature status information is returned.
You are right, so agreed. > I also agree that it > would be incorrect to define in the Widget Signature spec whether or not a > widget is valid, that is out of scope. Right again. > The spec limits itself to signature > validation. However I would not want to be prescriptive in the > specification to the level of status return codes. Ok, makes sense. > We may want to add a security considerations note along the lines of > > "As distributor signatures are not included in an overall widget signature, > it is possible for signatures to be added or removed and hence a secure > channel for widget delivery might be preferable." Ok, that is also an important security consideration. Should definitely have that in the spec under security considerations or some such section. -- Marcos Caceres http://datadriven.com.au