W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Thu, 26 Mar 2009 23:05:29 +0100
To: Thomas Roessler <tlr@w3.org>, "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>
CC: "marcosc@opera.com" <marcosc@opera.com>, "paddy@aplix.co.jp" <paddy@aplix.co.jp>, "public-webapps@w3.org" <public-webapps@w3.org>, "otsi-arch-sec@omtplists.org" <otsi-arch-sec@omtplists.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C0A26D782B8@OBEEX01.obe.access-company.com>
Hi Thomas,

Nice suggestion, but I am not sure whether it will survive in the real world and be abandoned or replaced by other interpretations.

[I personally associate the author with the widget developer]

Let's imagine I am a developer D of the widget W and I work for company C.
Who is the actual author and what does it mean?
Whose private key is used for author signature?
Could e.g. the company C be the first distributor of the widget W and I remain the author and sign the widget with my private key?

I am not sure whether it is feasible to map all the possible configurations of the relationships with 2-level signature architecture (author + distributors).
Even then, the role names would not fit probably.

Maybe this would be enough?
> The author signature binds the author's identity to the widget package.
Then similarly:
> The distributor's signature binds the distributor's identity to the widget package.

So it would be only about binding various entities with each other.


Kind regards,

From: public-webapps-request@w3.org [public-webapps-request@w3.org] On Behalf Of Thomas Roessler [tlr@w3.org]
Sent: Thursday, March 26, 2009 10:38 PM
To: Hillebrand, Rainer
Cc: marcosc@opera.com; paddy@aplix.co.jp; public-webapps@w3.org; otsi-arch-sec@omtplists.org
Subject: Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft


> The author signature asserts that the signing party is an author of
> the widget, and binds the author's identity to the widget package.

Thomas Roessler, W3C  <tlr@w3.org>

On 26 Mar 2009, at 17:20, Hillebrand, Rainer wrote:

> Dear Marcos,
> We cannot technically guarantee that the author signature really
> comes from the widget's author. It is like having an envelop with an
> unsigned letter. The envelop and the letter can come from different
> sources even if the envelop has a signature.
> Best Regards,
> Rainer
> ---------------------------------------
> Sent from my mobile device
> ----- Originalnachricht -----
> Von: Marcos Caceres <marcosc@opera.com>
> An: Paddy Byers <paddy@aplix.co.jp>
> Cc: Hillebrand, Rainer; WebApps WG <public-webapps@w3.org>; otsi-arch-sec@omtplists.org
>  <otsi-arch-sec@omtplists.org>
> Gesendet: Thu Mar 26 17:12:20 2009
> Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig
> draft
> On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers <paddy@aplix.co.jp>
> wrote:
>> Hi,
>>> Agreed. Can we say "were signed with the same certificate" instead?
>> I understood that Webapps had agreed to add a signature profile that
>> designates a particular signature as the author signature - and
>> where this
>> is present it is possible to come up with appropriate precise
>> wording as to
>> whether or not two packages originate from the same author.
> Well, that's basically what we have, but Rainer seems to imply that it
> is impossible to do this. I think we get as close as we technically
> can to achieving that goal. However, if that current solution is
> inadequate, then please send us suggestions.
> --
> Marcos Caceres
> http://datadriven.com.au
> T-Mobile International AG
> Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/
> Chairman)
> Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/
> Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
> Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
> Steuer-Nr./Tax No.: 205 / 5777/ 0518
> USt.-ID./VAT Reg.No.: DE189669124
> Sitz der Gesellschaft/ Corporate Headquarters: Bonn


Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda


This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Thursday, 26 March 2009 22:07:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC