W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

RE: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging & Configuration spec

From: Hillebrand, Rainer <Rainer.Hillebrand@t-mobile.net>
Date: Mon, 2 Mar 2009 14:01:02 +0100
Message-ID: <41C7C0F2BC2713438D933052463E9259024A8876@DEMSWBMXSC0104.sv.ad.tmo>
To: <marcosc@opera.com>
Cc: "public-webapps" <public-webapps@w3.org>
Dear Marcos,

I have some doubts that a secure transport of a widget resource is so important in case of a signed widget resource. I would agree with you that we currently do not know how a signature is considered because we do not have a security framework and security policies that would define the use of signatures. However, if a user agent implements a security framework that enforces security policies considering signed widget resources then a secure transport will not be required. The signature shall guarantee the widget resource's integrity and authenticity. What would a secure transport add?

Best Regards,

Rainer
*************************************
T-Mobile International
Terminal Technology
Rainer Hillebrand
Head of Terminal Security
Landgrabenweg 151, D-53227 Bonn
Germany

+49 171 5211056 (My T-Mobile)
+49 228 936 13916 (Tel.)
+49 228 936 18406 (Fax)
E-Mail: rainer.hillebrand@t-mobile.net

http://www.t-mobile.net

This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. 

Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck.




T-Mobile International AG
Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman)
Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
Steuer-Nr./Tax No.: 205 / 5777/ 0518
USt.-ID./VAT Reg.No.: DE189669124
Sitz der Gesellschaft/ Corporate Headquarters: Bonn




-----Original Message----- 
From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org] On Behalf Of Marcos Caceres
Sent: Dienstag, 24. Februar 2009 23:34
To: Frederick Hirsch
Cc: ext Priestley, Mark, VF-Group; Barstow Art (Nokia-CIC/Boston); public-webapps
Subject: Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging & Configuration spec

Hi Frederick,

On Tue, Feb 24, 2009 at 11:19 PM, Frederick Hirsch <frederick.hirsch@nokia.com> wrote:
> The Widget Signature spec is not an API definition so probably does 
> not need to define how signature status information is returned.

You are right, so agreed.

> I also agree that it
> would be incorrect to define in the Widget Signature spec whether or 
> not a widget is valid, that is out of scope.

Right again.

> The spec limits itself to signature
> validation.  However I would not want to be prescriptive in the 
> specification to the level of status return codes.

Ok, makes sense.

> We may want to add a security considerations note along the lines of
>
> "As distributor signatures are not included in an overall widget 
> signature, it is possible for signatures to be added or removed and 
> hence a secure channel for widget delivery  might be preferable."

Ok, that is also an important security consideration. Should definitely have that in the spec under security considerations or some such section.



--
Marcos Caceres
http://datadriven.com.au
Received on Monday, 2 March 2009 13:02:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT