There are 3 comments (sorted by their types, and the section they are about).
substantive comments
Comment LC-2401
Commenter: Marcos Caceres <marcosc@opera.com> (archived message ) Context: in
Status: open
proposal
pending
resolved_yes
resolved_no
resolved_partial
other
assigned to Marcos Caceres
Type: substantive
editorial
typo
question
general comment
undefined
Resolution status: Response drafted
Resolution implemented
Reply sent to commenter
Response status:
No response from Commenter yet
Commenter approved disposition
Commenter objected to dispositionCommenter's response (URI):
Comment :I have fund a number of issues with the dig sig spec:
1. Â The conformance model is all screwy: it mixes conformance criteria
for too many products (including ones on which were it makes no sense,
like signature documents). The conformance criteria makes the spec
really hard to write test for. Only two classes of products should be
allowed to conform: signers and validators.
2. The spec requires zip-relative-paths to be URL encoded during
signing. I think this is an oversight, specially because during
signature validation it does not say that the paths be decoded. URL
Encoded of paths should be removed from the spec, IMO. Zip-relative
paths are supposed to be URI safe, hence should not require URL
Encoding (and when they violate URI's path rule, they should be
treated as invalid widgets anyway as per the P&C spec).
3. The document is full of editorial redundancies (about 100+). It is
also badly structured, with behavioral conformance criteria mixed in
with definitions and support requirements (making the spec really hard
to follow).
In the interest of saving time, I have created a new version of the
spec that addresses all the issues above:
http://dev.w3.org/2006/waf/widgets-digsig/
To compare my draft with latest WG endorsed editorial draft:
http://tinyurl.com/26bxclc
In addition, the new draft has the advantage of being fully testable
and written using the method defined in [1] (meaning we can plug in
WebApps test suite creation infrastructure, which assures that all
conformance requirements in the spec will get tested!).
I encourage the working group to adopt my modified version once it has
been reviewed. Aside from the URL Encoding thing, the modified version
does not change the behavior existing implementations: it just makes
it much more clear what each kind of product needs to do to conform.
Kind regards,
Marcos
[1] http://www.w3.org/TR/test-methodology/
On Thu, Apr 29, 2010 at 2:21 PM, Arthur Barstow <art.barstow@nokia.com> wrote:
>
> Reminder: May 6 is the deadline for comments re the April 15 LCWD of the Digital Signatures for Widgets spec:
>
> Â http://www.w3.org/TR/2010/WD-widgets-digsig-20100415/
>
> Please send comments to public-webapps@w3.org.
>
> Begin forwarded message:
>
>> From: "Barstow Art (Nokia-CIC/Boston)" <Art.Barstow@nokia.com>
>> Date: April 16, 2010 5:25:27 PM EDT
>> To: public-webapps <public-webapps@w3.org>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
>> Subject: Request for Comments: LCWD of Digital Signatures for Widgets; deadline 6 May 2010
>> Archived-At: <http://www.w3.org/mid/8679D7D8-A881-4FD2-B1A3-693507FB66FF@nokia.com>
>>
>> On April 15 the WebApps WG published a new LCWD of the Digital
>> Signatures for Widgets spec (formerly titled Widgets 1.0: Digital
>> Signatures):
>>
>> Â http://www.w3.org/TR/2010/WD-widgets-digsig-20100415/
>>
>> This spec was last published as a CR [CR]. The new LC includes a fix
>> to a bug [Bug] that was identified during the implementation of the
>> spec's June 2009 Candidate.
>>
>> The deadline for this LC's comments is 6 May 2010.
>>
>> We will explicitly ask the XML Security WG to review this LC and
>> comments from others are welcome.
>>
>> -Art Barstow
>>
>> [Bug] http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/
>> 0054.html
>> [CR] http://www.w3.org/TR/2009/CR-widgets-digsig-20090625/
>>
>>
>>
>
>
--
Marcos Caceres
http://datadriven.com.au
Related issues: (space separated ids)
WG Notes: The WG agreed during its May 6 widgets call (http://www.w3.org/2010/05/06-wam-minutes.html#item03) to implement all of Marcos' comments. This resulted in the need to publish a new LCWD which was published 11-May-2010
Resolution: All of the proposed changes were agreed and implemented in the 11-May-2010 LCWD of the spec. (Please make sure the resolution is adapted for public consumption)
editorial comments
Comment LC-2402
Commenter: Andreas Kuehne <kuehne@trustable.de> (archived message ) Context: in
Status: open
proposal
pending
resolved_yes
resolved_no
resolved_partial
other
assigned to Frederick Hirsch
Type: substantive
editorial
typo
question
general comment
undefined
Resolution status: Response drafted
Resolution implemented
Reply sent to commenter
Response status:
No response from Commenter yet
Commenter approved disposition
Commenter objected to dispositionCommenter's response (URI):
Comment :Hi all,
just a minor comment found by build a test case :
Section7.1. Common Constraints for Signature Generation and Validation
1. [...]
2. [...]
3. For each ds:Reference element:
1. The URI attribute MUST be a zip relative path from the root of the widget package to the file entry being referenced.
This condition should not be applied to same-document references. It only makes sense to 'external' references.
Greetings
Andreas
--
Andreas Kühne phone: +49 177 293 24 97 mailto: kuehne@trustable.de
Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868
Directors Andreas Kühne Heiko Veit
Company UK Company No: 5218868 Registered in England and Wales
Related issues: (space separated ids)
WG Notes: During the 6 May 2010 widgets call (http://www.w3.org/2010/05/06-wam-minutes.html#item03), the WG agreed to make an editorial change to address Andreas' comment.
Resolution: The 11-May-2010 LCWD includes an editorial change to address the comment. (Please make sure the resolution is adapted for public consumption)
Add a comment .