W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property

From: Marcos Caceres <marcosc@opera.com>
Date: Sun, 22 Feb 2009 15:38:46 +0100
Message-ID: <b21a10670902220638k4dfeb454h177a745ae0512e14@mail.gmail.com>
To: "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>
Cc: public-webapps <public-webapps@w3.org>, "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Hi Rainer,
2009/2/13 Hillebrand, Rainer <Rainer.Hillebrand@t-mobile.net>:
> Dear Marcos,
>
> From my point of view the current model as described by you is ok. The author of the update description document and the author of the widget resource that shall be updated are able to control the security level shall be reached. This is not mandated by the widget specifications family. If somebody wants to provide an unsigned update package via HTTP for a signed widget resource then this will not be prevented by a widget user agent.
>

Agreed. A lot of software out there already works over this model. I
don't think it is worth over complicating it. Lets just keep it simple
and let it work over HTTP/HTTPS. Adding more complexity is unnecessary
IMHO. If it can be shown that HTTPS does not provide overall security
needed to achieve a widget update, then I think we should consider
throwing another signature into the mix.

Kind regards,
Marcos
-- 
Marcos Caceres
http://datadriven.com.au
Received on Sunday, 22 February 2009 14:39:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT