See also: IRC log
<arve> I'm having some trouble calling in
<arve> as in, it doesn't seem to set me up
Date: 5 June 2008
<scribe> Scribe: Art
<scribe> ScribeNick: ArtB
AB:
http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html
... above is today's agenda
... Any change requests for the agenda?
[none]
AB: lastest ED is http://dev.w3.org/2006/waf/widgets-digsig/
ABe: I have a specific
question
... when establishing a root cert, can the SSL root cert be
re-used
... thus vendors don't have to have to separate root certs
MC: I know Verisign sells a
variety of certs
... and one is for code signing
... Y! is the only vendor that is doing signing
... I can look at what they are doing and report back
... Benoit has also done some work in this area
TLR: with XML Sign would use
X509
... a) will Widget engine reuse certs
<marcos> Vista side bar: We might want to have a look at http://blog.eqinox.net/jed/articles/1707.aspx
<marcos> (Benoit sent me that link)
TLR: b) the question is whether
there might be reservations from the CAs; we should probably
talk to them
... I believe code signing certs to be more expensive
... it may make sense to keep them separate but at the end of
the day it's a policy decision
AB: decision on behalf of the widget engine vendor?
TLR: yes but the CA too
... the decision is independent of whether or not XML Sig is
used
<marcos> To quote Yahoo: "If you sign your Widget with a code-signing certificate issued by VeriSign, we can also verify the authenticity of the certificate itself. We intend to support more certificate authorities in future releases."
TLR: yes, a web server cert can
be taken over thus it makes sense from a security perspective
for them to use a separate code-signing cert
... different uses cases really
ABe: OK, this discussion was
helpful
... I think we may have more questions later
AB: with the proviso I'm not an expert in this area, it's not clear we need to mandate anything
TLR: we may want to say code-signing certs are mandatory
<marcos> Another interesting link: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2015994&SiteID=1
TLR: but it could create some
interop problems
... For a code-signing cert, may want a different type of
validation for the party that does the signing
... CAs may not want certs intended for TLS being re-used for
widgets
... we really should get a CA or two at the table to discuss
this
AB: which security-related WGs can we contact?
TLR: Philip Halam-Baker from
Versigin is one person
... there are ... GoDaddy is a W3C member company with a CA
business as well ...
... Art could send an e-mail to the AC reps of the CAs
... mobile people are doing related work
BW: our security guy is active in OMTP and made a related proposal
AB: can we get that proposal?
ACTION Worthington see if VF's signing input to OMTP can be shared with WAF
<trackbot> Created ACTION-181 - See if VF's signing input to OMTP can be shared with WAF [on Ben Worthington - due 2008-06-12].
ACTION Barstow contact the CAs regarding the reuse of TLS certs for Widgets
<trackbot> Created ACTION-182 - Contact the CAs regarding the reuse of TLS certs for Widgets [on Arthur Barstow - due 2008-06-12].
TLR: GoDaddy is one of the CAs I mentioned that is a member
AB: OK, thanks
AB: http://dev.w3.org/2006/waf/widgets-digsig/
... we have several open issues in the latest ED
... we can use this an opportunity to get feedback from
Thomas
... would like to understand our plan to address these
issues
MC: we have a request to support
signatures from multiple people
... also an open issue regarding certificate chaining
AB: regarding multiple signing, what's the current state?
MC: the only widget engine vendor
is Y! and they aren't doing anything here
... in the mobile world, Java supports multiple
signatures
... I would also like to understand Apple's model
<marcos> MC: iphone apps
ACTION Barstow investigate Java model for multiple signatures
<trackbot> Created ACTION-183 - Investigate Java model for multiple signatures [on Arthur Barstow - due 2008-06-12].
AB: where did the signature chain requirement come from?
MC: there is no requirement but it is something XML Signature supports
TLR: yes, could have a list of
certs that needs to be walked up
... more of X509 property
... could say all intermediate certs need to be there
<marcos> TLR: it might be best to just have the X.509 cert data be put into the <x509data> element as a single block
<marcos> Mc: I agree
AB: is there a follow-up issue/action?
MC: no, we just need to spec the model
AB: the new XML Security WG includes in its Charter a liaison with WAF
TLR: the XML Security Maintenance
WG will end at the end of June
... it is slowly ramping up
<marcos> :)
TLR: thus use the Maintenance WG mail list now for communication
AB: are there other issues to discuss today, Marcos?
MC: I think we've covered the main issues
TLR: two more points
... 1. should probably add a timestamp
... 2. regarding transform, it turns out its not
well-defined
... do you have any more clarity?
MC: no; as you say it's not well-defined
TLR: think we need to investigate this more
MC: it would be helpful if I knew exactly what to look for
TLR: perhaps look at the deflate algorithm
MC: are you signing the
compressed blob or not
... for v1 could say you must do it this way; and then for v2
we could add the transform if there is a request for it
<tlr> TR: Not having the transform sounds like it wants an additional security consideration; happy to provide that.
<tlr> ACTION: roessler to contribute security considerations for decompression and signature validation [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action01]
<trackbot> Created ACTION-184 - Contribute security considerations for decompression and signature validation [on Thomas Roessler - due 2008-06-12].
<marcos> A
<marcos> ACTION: Marcos to add timestamp element to widget dig sig spec [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action02]
<trackbot> Created ACTION-185 - Add timestamp element to widget dig sig spec [on Marcos Caceres - due 2008-06-12].
AB: Marcos made a proposal
http://lists.w3.org/Archives/Public/public-appformats/2008May/0088.html
... we received lots of comments, even from TBL
MC: I think some people hadn't
read the spec yet they commented anyway
... the proposal to use http scheme just doesn't make sense for
our use
... my proposal says you can use http if you want to
... but it would mean changing the widget engine
architecture
ACTION Barstow follow-up the scope issue related to the widget: scheme thread
<trackbot> Created ACTION-186 - Follow-up the scope issue related to the widget: scheme thread [on Arthur Barstow - due 2008-06-12].
<marcos> http://lists.w3.org/Archives/Public/public-appformats/2008May/0140.html
<marcos> My proposal was: http://widgetengine:port/instanceID/package.wgt/path/to/resource
AB: I think we've done a good job
of keeping the TAG informed
... but if they don't read the spec and understand our use
cases we need to consider that in our disposition of their
comments
MS: we do indeed need to include
the TAG in such discussions
... we must get approval eventually from the Director
... thus I recommend we seriously consider any comment from the
Director
MC: I responded to Tim's
email
... the ball is in his court now; he hasn't responded
MS: I don't think we need to go
out of our way to ask Tim to respond, at least not at this
point
... If he feels strongly about it he surely will let us know
and we will have to deal with it
ABe: I think most of the comments were from people that didn't understand our use case
<MikeSmith> tlr-
ABe: perhaps we should separately write up our UCs and Reqs
<marcos> The req: http://dev.w3.org/2006/waf/widgets-reqs/#r5.-addressing
AB: I agree with Arve
... Marcos do we have related requirements
MC: yes, we do have a requirement
<marcos> ACTION: expand requirement number 5 to be more descriptive [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action03]
<trackbot> Sorry, couldn't find user - expand
<marcos> ACTION: Marcos to expand requirement number 5 to be more descriptive [recorded in http://www.w3.org/2008/06/05-waf-minutes.html#action04]
<trackbot> Created ACTION-187 - Expand requirement number 5 to be more descriptive [on Marcos Caceres - due 2008-06-12].
AB: do we want to continue this topic next week?
MC: no I don't think so
... I think we just need to document the usage better
... unless someone wants to use http:
ABe: no I don't think so
... http: scheme isn't appropriate for the Widget engine where
orgin isn't necessarily a Web site
... I don't think we should http: for things it was not
intended for
... I do NOT want to use http:
AB: I support Arve's position as
our continued working model
... others?
MC: I'll abstain on this
... it would add a lot of complexity; too much I think
... certainly not for v1
AB: any new news Mike?
MS: I don't have any new news to
share
... hope to have something by next VC
AB: we are currently working with an Expired Charter
MS: yes, I know
AB: last week we agreed it would
be in Sept
... but that was a conflict for Marcos
... new proposal: August 26-28 in Turino
... any objections?
ABe: OK with me
MC: OK with me
... and thanks all for changing the date
RESOLUTION: our next Widgets f2f meeting will be August 26-28 in Turino hosted by Telecom Italia
AB: Meeting Adjourned
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/other CAs represented in these groups/... GoDaddy is a W3C member company with a CA business as well .../ Succeeded: s/Topic: Digital Signatures/Topic: reusing TLS certs for Widgets/ Succeeded: s/RESOLUTION our/RESOLUTION: our/ Found Scribe: Art Found ScribeNick: ArtB Default Present: Thomas, Art_Barstow, Arve, MikeSmith, marcos, BenW Present: Art Arve Thomas Arve Marcos Ben Regrets: Claudio Agenda: http://lists.w3.org/Archives/Member/member-appformats/2008Jun/0000.html Found Date: 05 Jun 2008 Guessing minutes URL: http://www.w3.org/2008/06/05-waf-minutes.html People with action items: 5 expand marcos number requirement roessler[End of scribe.perl diagnostic output]