[Widgets requirements] from Marcos Caceres on 2006-12-24 (public-appformats@w3.org from December 2006)

From: Marcos Caceres <m.caceres@qut.edu.au>
Date: Sun, 24 Dec 2006 12:50:49 +1000
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <b21a10670612231850v516bca6cxc03d1f9aeed63cd@mail.gmail.com>

Hi all,
The Widgets requirements documents [1] has been updated. Highlights:

New requirements
~~~~~~~~~~~~~

R8 Digital Signature
The packaging format should allow authors to digitally sign their
packaged applications so that a user can verify the authenticity and
the integrity of the package, as well as provide some means for
non-repudiation.

Motivation:
    Security, current development practice or industry best-practices.

R9. Encryption
The packaging format may include one or more resources that describe
encryption methods used to encrypt particular resources within the
package.

Motivation:
    Security, current development practice or industry best-practices.

New text in the introduction:
~~~~~~~~~~~~~~~~~~~~

In some cases, authors may choose to digitally sign a package as a
more secure means of distribution and deployment. A digitally signed
package provides users with a means to verify the authenticity and the
integrity of a package, as well as giving a user a degree of support
for non-repudiation. Users can verify the authenticity of a package by
decrypting an encrypted hash of the content (known as a digest) using
an author's public key; theoretically, only an author's public key
should be able to decrypt the digest. Users can then check the
integrity of a package by checking the hash of the package against an
encrypted digest for equality. If the values do not match, then it is
likely that the file is either corrupt or someone has tampered with
the contents of the package after the author signed it.
Non-repudiation refers to the fact that a digital signature makes it
difficult for an author to deny signing the contents of a package as
only the author should have access to the private key used to create
the digital signature. An author may also include in the package a
digital certificate, which they obtain from a Certification Authority
(CA), that a user can use to further verify the authenticity of the
author and the package.

An author may choose to encrypt particular resources within the
package without affecting the ability for the application to run. For
instance, the author may choose to encrypt source code or any
resources they want to keep secure. It should be noted that encrypting
resources is currently not a standard practice in the Widget
development space, but may become an important requirement as the
popularity of widgets continues to grow.
---

Merry Xmas!

[1] http://dev.w3.org/cvsweb/2006/waf/WAPF/WD-WAPF-REQ-20060726.html



-- 
Marcos Caceres
http://datadriven.com.au

Received on Sunday, 24 December 2006 02:50:59 UTC