- From: Marcos Caceres <m.caceres@qut.edu.au>
- Date: Sun, 24 Dec 2006 12:50:49 +1000
- To: "WAF WG (public)" <public-appformats@w3.org>
Hi all, The Widgets requirements documents [1] has been updated. Highlights: New requirements ~~~~~~~~~~~~~ R8 Digital Signature The packaging format should allow authors to digitally sign their packaged applications so that a user can verify the authenticity and the integrity of the package, as well as provide some means for non-repudiation. Motivation: Security, current development practice or industry best-practices. R9. Encryption The packaging format may include one or more resources that describe encryption methods used to encrypt particular resources within the package. Motivation: Security, current development practice or industry best-practices. New text in the introduction: ~~~~~~~~~~~~~~~~~~~~ In some cases, authors may choose to digitally sign a package as a more secure means of distribution and deployment. A digitally signed package provides users with a means to verify the authenticity and the integrity of a package, as well as giving a user a degree of support for non-repudiation. Users can verify the authenticity of a package by decrypting an encrypted hash of the content (known as a digest) using an author's public key; theoretically, only an author's public key should be able to decrypt the digest. Users can then check the integrity of a package by checking the hash of the package against an encrypted digest for equality. If the values do not match, then it is likely that the file is either corrupt or someone has tampered with the contents of the package after the author signed it. Non-repudiation refers to the fact that a digital signature makes it difficult for an author to deny signing the contents of a package as only the author should have access to the private key used to create the digital signature. An author may also include in the package a digital certificate, which they obtain from a Certification Authority (CA), that a user can use to further verify the authenticity of the author and the package. An author may choose to encrypt particular resources within the package without affecting the ability for the application to run. For instance, the author may choose to encrypt source code or any resources they want to keep secure. It should be noted that encrypting resources is currently not a standard practice in the Widget development space, but may become an important requirement as the popularity of widgets continues to grow. --- Merry Xmas! [1] http://dev.w3.org/cvsweb/2006/waf/WAPF/WD-WAPF-REQ-20060726.html -- Marcos Caceres http://datadriven.com.au
Received on Sunday, 24 December 2006 02:50:59 UTC