RE: [BONDI Architecture & Security] [widgets] Author

Hi Paddy, All, This seems to be the summary of the discussion and material that was specified till now: 1. P&C says: "An author signature is intended to be generated by the author of a widget (i.e., the person who authored the widget). " i.e. author is a person. 2. DigSig says: "An author elemen

RE: [BONDI Architecture & Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Paddy, I agree with your summary, but I have comments to the sequence of conclusions. >>But, as Thomas says, the P&C spec should confine itself to defining how a >>Widget Resource encodes the signature(s), and say something about what is >>being asserted, and by who. The author is simply som

Re: [BONDI Architecture & Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi, I have been trying to identify the term author in Widget specs. I think we're in danger of getting into details that are irrelevant for the P&C specification. This spec should define what information is asserted by the presence of the author and distributor signatures. It is up to a consum

[BONDI Architecture & Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi All, I have been trying to identify the term author in Widget specs. [1] defines the element and says: "An author element represents people or an organization attributed with the creation of the widget." However, it does not bring too much clarification to the points that were raised wrt aut

RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Thomas, Nice suggestion, but I am not sure whether it will survive in the real world and be abandoned or replaced by other interpretations. [I personally associate the author with the widget developer] Let's imagine I am a developer D of the widget W and I work for company C. Who is the actu

Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Suggestion: The author signature asserts that the signing party is an author of the widget, and binds the author's identity to the widget package. Regards, -- Thomas Roessler, W3C On 26 Mar 2009, at 17:20, Hillebrand, Rainer wrote: Dear Marcos, We cannot technically guarantee that

RE: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Marcos, All, >>Agreed. Can we say "were signed with the same certificate" instead? If there is a conclusion on the other aspects of this point (discussed in other mails) I would suggest writing: "were signed with the private key of the key pair whose public key is certified by the same certif

Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

I agree with what Thomas said as well. I suggest we think about whether we really need to change the specification since I read what is there as consistent with what Thomas wrote. The intent is to flag a signature as an "author signature" - more detail is in my opinion in the same categor

RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi, I support this view. In the whole design of various widget signatures it seems important that there is a list of signatures and from this list one is the distinguished one. Naming of the signatures is not very important, I think. The term "author" is not defined anywhere. It does not have to

Re: Web Sigining in Action

Hi Channy, I think there are several project that we need to do in order to succeed. Smart cards as provided in the EU typically only manges to support a single CA. But that works bad because we have many providers and they are unlikely to settle on a single CA. As an example most employers would

RE: [BONDI Architecture & Security] [widgets] new digsig draft

Hi, One correction to what I wrote: Instead of a) Replace "root of the archive" with "root of the widget" I would now suggest a) Replace "root of the archive" with "root of the widget package" Thanks. Kind regards, Marcin Marcin Hanclik ACCESS Systems Europe GmbH Tel: +49-208-8290-6452 | Fax:

Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

I think the draft provides enough assurance for the intended level of use. If you want higher levels of assurance more will be required, but I don't believe we have a requirement here for that. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:20 PM, ext Hillebrand, Rainer

Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

(removing cross-posting since it doesn't work for mail from everyone) I'd like to point out that section 5.2 says what an author signature *can* do. I'm strongly against muddying this to account for various edge cases - I agree with Thomas that the meaning is clear. However I understand the

Re: Web Sigining in Action

Dear all, I agreed Andres said that it is unclear where a certain issue belong apps or not. I means everyone didn't care about this while many industrial vendors have made tireless same plugins in web space. Although Anders indicated there were less certificate applications, there are 14 million u

Re: Web Sigining in Action

Dear Marcos Caceres, Thanks for your kind reply. Sorry my delay. > Ian recommended us to continue this discussion in Webapps W/G[6]. Andres > also has tried another effort to solve issue[7]. > > > > can you please send us a better summary. As you know, most of certificate service consist of thr

RE: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Marcos, All, Please find below my - mostly editorial - comments to the latest digsig draft and one comment for P&C. Thanks. Kind regards, Marcin 1. Section 1: "... with XML signatures that each cryptographically include all of the non-signature ..." should become (missing "s") "... with X

Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

What the author certificate lets you verify is whether a single party is taking responsibility for two widgets. There is indeed no *proof* of authorship here, but a statement that the signer is willing to assume the blame for being the widget's author. Which is all we need, no? -- Thomas

AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no techni

Re: [BONDI Architecture & Security] [widgets] new digsig draft

I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick

AW: RE: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Dear Mark, I agree to use your text. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: otsi-arch-sec-ow...@omtp.ieee-isto.org An: Hillebrand, Rainer; marc...@opera.com ; pa...@aplix.co.jp Cc: public-webapps@w3.org ; o

RE: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim de

AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer

AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Marcos! I agree with your suggestions. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres An: Hillebrand, Rainer Cc: WebApps WG ; otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 16:24:22 2009 Betreff:

Re: [BONDI Architecture & Security] [widgets] new digsig draft

On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers wrote: > Hi, > >> Agreed. Can we say "were signed with the same certificate" instead? > > I understood that Webapps had agreed to add a signature profile that > designates a particular signature as the author signature - and where this > is present it i

Simple approach for

Hi, in the same spirit of the resolution that we made with L10N based on the principle that we define something simple now and add more complex stuff once developers have described real-world issues that we don't address, I would like to propose a similarly simple approach for . I think

[widgets] Minutes from 26 March 2009 Voice Conference

The minutes from the March 26 Widgets voice conference are available at the following and copied below: WG Members - if you have any comments, corrections, etc., please send them to the public-webapps mail list before 2 April 2009 (the next Widge

Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi, Agreed. Can we say "were signed with the same certificate" instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whet

Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi Rainer, On Thu, Mar 26, 2009 at 1:57 PM, Hillebrand, Rainer wrote: > Dear Marcos, > > I have some proposals for editorial changes. > > 1. Section 1.2: change "which MAY logically contains" to "which MAY logically > contain" fixed. > 2. Section 1.2: "An unsigned widget package is a widget pa

additional widgets signature fix

I fixed one additional ordered list nit in widgets signature, so it validates correctly. When published the document date will need to be updated to the publication date. regards, Frederick Frederick Hirsch Nokia

Re: and IRI equivalence

On Thu, 26 Mar 2009 14:51:02 +0100, Thomas Roessler wrote: I phrased this poorly. The question at hand is whether the spec needs a dependency on HTML's use of URI references, or whether a reference to the URI spec is sufficient. I suspect that the latter is in fact the case; implementatio

Re: and IRI equivalence

On 26 Mar 2009, at 14:44, Anne van Kesteren wrote: On Thu, 26 Mar 2009 14:40:16 +0100, Thomas Roessler wrote: 1. I think it's a good thing to phrase this in terms of the BNF from 3986 and 3987. I don't think it's obvious that this piece of the spec needs to reuse the HTML URI parser. AF

Re: and IRI equivalence

On Thu, 26 Mar 2009 14:40:16 +0100, Thomas Roessler wrote: 1. I think it's a good thing to phrase this in terms of the BNF from 3986 and 3987. I don't think it's obvious that this piece of the spec needs to reuse the HTML URI parser. AFAICT "that" parser is used for HTTP, CSS, HTML, XMLHttpRe

and IRI equivalence

Two points: 1. I think it's a good thing to phrase this in terms of the BNF from 3986 and 3987. I don't think it's obvious that this piece of the spec needs to reuse the HTML URI parser. 2. Equivalence of ASCII domain names is defined in terms of an ASCII case insensitive comparison. Eq

RE: [widgets] Agenda for 26 March 2009 Voice Conference ; 90 Minutes

Regrets, attending a MWI BPWG all-day (for me, night) session. Best regards, Bryan Sullivan | AT&T -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Arthur Barstow Sent: Wednesday, March 25, 2009 4:50 AM To: public-webapps Subject:

RE: [BONDI Architecture & Security] [widgets] new digsig draft

Dear Marcos, I have some proposals for editorial changes. 1. Section 1.2: change "which MAY logically contains" to "which MAY logically contain" 2. Section 1.2: "An unsigned widget package is a widget package that does not contain any signature files. It is left to the user agent's security po

Re: [widgets] new digsig draft

Marcos I checked in another revision to fix the broken link in 7. 2 (last sentence included s in span) and to fix various validation errors. The latest revision looks ok to me now, version 1.85 of Overview.src.html, version 1.93 of Overview.html regards, Frederick Frederick Hirsch Nokia

Re: [widgets] restrictions on XML base

Hi Thomas, On Fri, Mar 20, 2009 at 1:31 PM, Thomas Roessler wrote: > On 20 Mar 2009, at 10:46, Marcos Caceres wrote: > >> To compliment the new i18n model, I've added the following >> restrictions on XML base: >> [[ >> xml:base attribute >> The xml:base attribute may be used in a configuration doc

XHR and the storage mutex

HTML5 now has a "storage mutex" concept to cope with cookies being set in a multiprocess UA architecture without having scripts be exposed to race conditions. This affects XHR in a couple of ways. For both sync and async XHR, we should add a must-level requirement that UAs are to "obtain the