On Sep 14, 2009, at 11:00 AM, ext Marcos Caceres wrote:
On Mon, Sep 14, 2009 at 1:33 PM, Arthur Barstow
<art.bars...@nokia.com> wrote:
On Sep 13, 2009, at 1:06 PM, ext Marcos Caceres wrote:
It is optional for a user agent to support the widgets
[Widgets-DigSig] specification.
]]
Why did you add the DigSig text above and new DigSig paragraph
below the
Note (Section 4)? This spec should focus exclusively on the A&E UA.
The reason is that currently, the following text does not have a home:
[[A user agent must prevent a browsing context of a widget from
accessing (e.g., via scripts, CSS, HTML, etc.) the contents of a
digital signature document unless an access control mechanism
explicitly enables such access, e.g. via an access control policy. The
definition of such a policy mechanism is beyond the scope this
specification, but can be defined by implementers to allow access to
all or parts of the signature documents, or deny any such access. An
exception is if a user agent that implements this specification also
implements the optional [Widgets-DigSig] specification, in which case
the user agent must make digital signature documents available only to
the implementation of the [Widgets-DigSig] specification; a user agent
must not make the digital signatures accessible to scripting or other
content loading mechanisms, unless explicitly enabled by an access
control mechanism.]]
This spec seems like a good home for the text above (hence the
optionality of widgets dig sig).
I kinda' understand the general concern, but I don't think the lack
of a "home" for this spec is sufficient rationale to make the quoted
text above normative in this spec.
We should try to keep these specs as independent as possible.
It also isn't clear how one would test the "unless" clause of the
first statement for a black-box implementation of the A&E spec.
-Regards, Art Barstow
