Widgets Voice Conference -- 05 Jun 2008

<arve> I'm having some trouble calling in

<arve> as in, it doesn't seem to set me up

Date: 5 June 2008

<scribe> Scribe: Art

<scribe> ScribeNick: ArtB

Review Agenda

AB: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html
... above is today's agenda
... Any change requests for the agenda?

[none]

reusing TLS certs for Widgets

AB: lastest ED is http://dev.w3.org/2006/waf/widgets-digsig/

ABe: I have a specific question
... when establishing a root cert, can the SSL root cert be re-used
... thus vendors don't have to have to separate root certs

MC: I know Verisign sells a variety of certs
... and one is for code signing
... Y! is the only vendor that is doing signing
... I can look at what they are doing and report back
... Benoit has also done some work in this area

TLR: with XML Sign would use X509
... a) will Widget engine reuse certs

<marcos> Vista side bar: We might want to have a look at http://blog.eqinox.net/jed/articles/1707.aspx

<marcos> (Benoit sent me that link)

TLR: b) the question is whether there might be reservations from the CAs; we should probably talk to them
... I believe code signing certs to be more expensive
... it may make sense to keep them separate but at the end of the day it's a policy decision

AB: decision on behalf of the widget engine vendor?

TLR: yes but the CA too
... the decision is independent of whether or not XML Sig is used

<marcos> To quote Yahoo: "If you sign your Widget with a code-signing certificate issued by VeriSign, we can also verify the authenticity of the certificate itself. We intend to support more certificate authorities in future releases."

TLR: yes, a web server cert can be taken over thus it makes sense from a security perspective for them to use a separate code-signing cert
... different uses cases really

ABe: OK, this discussion was helpful
... I think we may have more questions later

AB: with the proviso I'm not an expert in this area, it's not clear we need to mandate anything

TLR: we may want to say code-signing certs are mandatory

<marcos> Another interesting link: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2015994&SiteID=1

TLR: but it could create some interop problems
... For a code-signing cert, may want a different type of validation for the party that does the signing
... CAs may not want certs intended for TLS being re-used for widgets
... we really should get a CA or two at the table to discuss this

AB: which security-related WGs can we contact?

TLR: Philip Halam-Baker from Versigin is one person
... there are ... GoDaddy is a W3C member company with a CA business as well ...
... Art could send an e-mail to the AC reps of the CAs
... mobile people are doing related work

BW: our security guy is active in OMTP and made a related proposal

AB: can we get that proposal?

ACTION Worthington see if VF's signing input to OMTP can be shared with WAF

<trackbot> Created ACTION-181 - See if VF's signing input to OMTP can be shared with WAF [on Ben Worthington - due 2008-06-12].

ACTION Barstow contact the CAs regarding the reuse of TLS certs for Widgets

<trackbot> Created ACTION-182 - Contact the CAs regarding the reuse of TLS certs for Widgets [on Arthur Barstow - due 2008-06-12].

TLR: GoDaddy is one of the CAs I mentioned that is a member

AB: OK, thanks

Digital Signal spec - open issues

AB: http://dev.w3.org/2006/waf/widgets-digsig/
... we have several open issues in the latest ED
... we can use this an opportunity to get feedback from Thomas
... would like to understand our plan to address these issues

MC: we have a request to support signatures from multiple people
... also an open issue regarding certificate chaining

AB: regarding multiple signing, what's the current state?

MC: the only widget engine vendor is Y! and they aren't doing anything here
... in the mobile world, Java supports multiple signatures
... I would also like to understand Apple's model

<marcos> MC: iphone apps

ACTION Barstow investigate Java model for multiple signatures

<trackbot> Created ACTION-183 - Investigate Java model for multiple signatures [on Arthur Barstow - due 2008-06-12].

AB: where did the signature chain requirement come from?

MC: there is no requirement but it is something XML Signature supports

TLR: yes, could have a list of certs that needs to be walked up
... more of X509 property
... could say all intermediate certs need to be there

<marcos> TLR: it might be best to just have the X.509 cert data be put into the <x509data> element as a single block

<marcos> Mc: I agree

AB: is there a follow-up issue/action?

MC: no, we just need to spec the model

AB: the new XML Security WG includes in its Charter a liaison with WAF

TLR: the XML Security Maintenance WG will end at the end of June
... it is slowly ramping up

<marcos> :)

TLR: thus use the Maintenance WG mail list now for communication

AB: are there other issues to discuss today, Marcos?

MC: I think we've covered the main issues

TLR: two more points
... 1. should probably add a timestamp
... 2. regarding transform, it turns out its not well-defined
... do you have any more clarity?

MC: no; as you say it's not well-defined

TLR: think we need to investigate this more

MC: it would be helpful if I knew exactly what to look for

TLR: perhaps look at the deflate algorithm

MC: are you signing the compressed blob or not
... for v1 could say you must do it this way; and then for v2 we could add the transform if there is a request for it

<tlr> TR: Not having the transform sounds like it wants an additional security consideration; happy to provide that.

<tlr> ACTION: roessler to contribute security considerations for decompression and signature validation [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action01]

<trackbot> Created ACTION-184 - Contribute security considerations for decompression and signature validation [on Thomas Roessler - due 2008-06-12].

<marcos> A

<marcos> ACTION: Marcos to add timestamp element to widget dig sig spec [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action02]

<trackbot> Created ACTION-185 - Add timestamp element to widget dig sig spec [on Marcos Caceres - due 2008-06-12].

widget: scheme

AB: Marcos made a proposal http://lists.w3.org/Archives/Public/public-appformats/2008May/0088.html
... we received lots of comments, even from TBL

MC: I think some people hadn't read the spec yet they commented anyway
... the proposal to use http scheme just doesn't make sense for our use
... my proposal says you can use http if you want to
... but it would mean changing the widget engine architecture

ACTION Barstow follow-up the scope issue related to the widget: scheme thread

<trackbot> Created ACTION-186 - Follow-up the scope issue related to the widget: scheme thread [on Arthur Barstow - due 2008-06-12].

<marcos> http://lists.w3.org/Archives/Public/public-appformats/2008May/0140.html

<marcos> My proposal was: http://widgetengine:port/instanceID/package.wgt/path/to/resource

AB: I think we've done a good job of keeping the TAG informed
... but if they don't read the spec and understand our use cases we need to consider that in our disposition of their comments

MS: we do indeed need to include the TAG in such discussions
... we must get approval eventually from the Director
... thus I recommend we seriously consider any comment from the Director

MC: I responded to Tim's email
... the ball is in his court now; he hasn't responded

MS: I don't think we need to go out of our way to ask Tim to respond, at least not at this point
... If he feels strongly about it he surely will let us know and we will have to deal with it

ABe: I think most of the comments were from people that didn't understand our use case

<MikeSmith> tlr-

ABe: perhaps we should separately write up our UCs and Reqs

<marcos> The req: http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing

AB: I agree with Arve
... Marcos do we have related requirements

MC: yes, we do have a requirement

<marcos> ACTION: expand requirement number 5 to be more descriptive [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action03]

<trackbot> Sorry, couldn't find user - expand

<marcos> ACTION: Marcos to expand requirement number 5 to be more descriptive [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action04]

<trackbot> Created ACTION-187 - Expand requirement number 5 to be more descriptive [on Marcos Caceres - due 2008-06-12].

AB: do we want to continue this topic next week?

MC: no I don't think so
... I think we just need to document the usage better
... unless someone wants to use http:

ABe: no I don't think so
... http: scheme isn't appropriate for the Widget engine where orgin isn't necessarily a Web site
... I don't think we should http: for things it was not intended for
... I do NOT want to use http:

AB: I support Arve's position as our continued working model
... others?

MC: I'll abstain on this
... it would add a lot of complexity; too much I think
... certainly not for v1

Web Apps Charter update

AB: any new news Mike?

MS: I don't have any new news to share
... hope to have something by next VC

AB: we are currently working with an Expired Charter

MS: yes, I know

Next F2F Meeting

AB: last week we agreed it would be in Sept
... but that was a conflict for Marcos
... new proposal: August 26-28 in Turino
... any objections?

ABe: OK with me

MC: OK with me
... and thanks all for changing the date

RESOLUTION: our next Widgets f2f meeting will be August 26-28 in Turino hosted by Telecom Italia

AB: Meeting Adjourned

- DRAFT -

Widgets Voice Conference

05 Jun 2008

Attendees

Contents