RE: [Policy] [ACTION-152] Editor Updates to Policy Requirements and Policy Framework from Nilsson, Claes1 on 2010-05-10 (public-device-apis@w3.org from May 2010)

From: Nilsson, Claes1 <Claes1.Nilsson@sonyericsson.com>
Date: Mon, 10 May 2010 17:37:33 +0200
To: "'Arribas, Laura, VF-Group'" <Laura.Arribas@vodafone.com>, "W3C Device APIs and Policy WG" <public-device-apis@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA3232A1FB47D@seldmbx03.corpusers.net>

Hi Laura,

My basic comment is that the policy framework must be able to securely identify the origin and integrity of a specific web application and that the "Subject Attributes" described in section 3.3 must be defined so that this is possible. However, I need to look at more at the details and will come back. 

Best regards
  Claes

> -----Original Message-----
> From: Arribas, Laura, VF-Group [mailto:Laura.Arribas@vodafone.com]
> Sent: onsdag den 5 maj 2010 15:29
> To: Nilsson, Claes1; W3C Device APIs and Policy WG
> Subject: RE: [Policy] [ACTION-152] Editor Updates to Policy
> Requirements and Policy Framework
> 
> Hi Claes,
> 
> Sorry for the delay answering to your e-mail. Please find my comments
> below.
> 
> > Section 3.3.1 Widget Attributes:
> > * Why is only "common name" used for distributor, distributor root,
> author and author root certificates? Don't we the whole "subject" to
> get
> a more flexible identification of a widget resource?
> I see your point and agree that considering the whole subject for the
> root certificates may make more sense, since the subject for the root
> certificates it very likely to stay the same. However, for other
> certificates I don't believe using the whole subject to identify a
> widget is the best option, since: i) the probability that the fields in
> the subject change is very high; ii) according to the standards the
> fields in the subject are order independent, which means that when
> comparing the content of the subject with the policy, a different order
> could mean that the subject-match is not met even if the subject fields
> have the same values; iii) there is no limit on the size of the subject,
> which could potentially be a problem.
> 
> > Section 3.3.2 Website Attributes:
> > In order to securely identify a web site and achieve the granularity
> of a specific web application, don't we need attributes for the site's
> server certificate? I also suggest that server certificate attributes
> are added:
> > * Suggest that the whole "subject" is used instead of only "common
> name" for the root certificate.
> Agree in the case of the root certificate.
> > * Suggest to add: key-server-subject: The subject field of the server
> certificate chained to by the site certificate. Empty bag if none.
> Sorry I don't understand this comment... What is the difference between
> the site certificate and the server certificate?
> > * Suggest to add: key-server-fingerprint: The fingerprint of the root
> certificate chained to by the site certificate. Empty bag if none.
> Do you mean "server certificate"?
> 
> Let me know what you think.
> 
> Thanks,
> 
> Laura

Received on Monday, 10 May 2010 15:39:13 UTC