W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

[BONDI Architecture & Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Fri, 27 Mar 2009 00:00:20 +0100
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>, Thomas Roessler <tlr@w3.org>, "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>
CC: "marcosc@opera.com" <marcosc@opera.com>, "paddy@aplix.co.jp" <paddy@aplix.co.jp>, "public-webapps@w3.org" <public-webapps@w3.org>, "otsi-arch-sec@omtplists.org" <otsi-arch-sec@omtplists.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C0A26D782B9@OBEEX01.obe.access-company.com>
Hi All,

I have been trying to identify the term author in Widget specs.
[1] defines the <author> element and says:
"An author element represents people or an organization attributed with the creation of the widget."
However, it does not bring too much clarification to the points that were raised wrt author signature and related responsibilities.

I still wonder whether it is feasible to say more then the above and add more semantics to the author signature dispute.

BTW:
Probably there is an interesting academic (semantic web) aspect of the author being defined by both href/email attributes in P&C spec and X.500 hierarchy in the X.509 certificates.
This, however, does not tell us more about who/what the author is: it is still either URI, email or RDN.

Thanks.

Kind regards,
Marcin

[1] http://dev.w3.org/2006/waf/widgets/#the-author-element
________________________________________
From: public-webapps-request@w3.org [public-webapps-request@w3.org] On Behalf Of Marcin Hanclik [Marcin.Hanclik@access-company.com]
Sent: Thursday, March 26, 2009 11:05 PM
To: Thomas Roessler; Hillebrand, Rainer
Cc: marcosc@opera.com; paddy@aplix.co.jp; public-webapps@w3.org; otsi-arch-sec@omtplists.org
Subject: RE: AW: Re: [BONDI Architecture & Security] [widgets] new digsig  draft

Hi Thomas,

Nice suggestion, but I am not sure whether it will survive in the real world and be abandoned or replaced by other interpretations.

[I personally associate the author with the widget developer]

Let's imagine I am a developer D of the widget W and I work for company C.
Who is the actual author and what does it mean?
Whose private key is used for author signature?
Could e.g. the company C be the first distributor of the widget W and I remain the author and sign the widget with my private key?

I am not sure whether it is feasible to map all the possible configurations of the relationships with 2-level signature architecture (author + distributors).
Even then, the role names would not fit probably.

Maybe this would be enough?
> The author signature binds the author's identity to the widget package.
Then similarly:
> The distributor's signature binds the distributor's identity to the widget package.

So it would be only about binding various entities with each other.

Thanks.

Kind regards,
Marcin

________________________________________
From: public-webapps-request@w3.org [public-webapps-request@w3.org] On Behalf Of Thomas Roessler [tlr@w3.org]
Sent: Thursday, March 26, 2009 10:38 PM
To: Hillebrand, Rainer
Cc: marcosc@opera.com; paddy@aplix.co.jp; public-webapps@w3.org; otsi-arch-sec@omtplists.org
Subject: Re: AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Suggestion:

> The author signature asserts that the signing party is an author of
> the widget, and binds the author's identity to the widget package.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>







On 26 Mar 2009, at 17:20, Hillebrand, Rainer wrote:

> Dear Marcos,
>
> We cannot technically guarantee that the author signature really
> comes from the widget's author. It is like having an envelop with an
> unsigned letter. The envelop and the letter can come from different
> sources even if the envelop has a signature.
>
> Best Regards,
>
> Rainer
> ---------------------------------------
> Sent from my mobile device
>
>
> ----- Originalnachricht -----
> Von: Marcos Caceres <marcosc@opera.com>
> An: Paddy Byers <paddy@aplix.co.jp>
> Cc: Hillebrand, Rainer; WebApps WG <public-webapps@w3.org>; otsi-arch-sec@omtplists.org
>  <otsi-arch-sec@omtplists.org>
> Gesendet: Thu Mar 26 17:12:20 2009
> Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig
> draft
>
> On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers <paddy@aplix.co.jp>
> wrote:
>> Hi,
>>
>>> Agreed. Can we say "were signed with the same certificate" instead?
>>
>> I understood that Webapps had agreed to add a signature profile that
>> designates a particular signature as the author signature - and
>> where this
>> is present it is possible to come up with appropriate precise
>> wording as to
>> whether or not two packages originate from the same author.
>
> Well, that's basically what we have, but Rainer seems to imply that it
> is impossible to do this. I think we get as close as we technically
> can to achieving that goal. However, if that current solution is
> inadequate, then please send us suggestions.
>
> --
> Marcos Caceres
> http://datadriven.com.au
>
>
> T-Mobile International AG
> Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/
> Chairman)
> Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/
> Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
> Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
> Steuer-Nr./Tax No.: 205 / 5777/ 0518
> USt.-ID./VAT Reg.No.: DE189669124
> Sitz der Gesellschaft/ Corporate Headquarters: Bonn
>



________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.


________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Thursday, 26 March 2009 23:02:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT