- From: Ed Voas <voas@yahoo-inc.com>
- Date: Sat, 30 Dec 2006 11:21:55 -0800
- To: public-appformats@w3.org
- Message-Id: <58A27363-89FA-4C84-9D08-B5832685C1BD@yahoo-inc.com>
Hi, Unfortunately, no. For you to encrypt something that a widget engine could read using asymmetrical encryption, I'd have to give you my public key. So far so good, but then for me to read it, I'd still need to have my private key in my software. Once there, it's effectively compromised. Even if the private key was somehow protected, you'd have to have the key to unlock it in your software. The only way to mitigate that would be to have a system where each copy of the software had its own private key and have it such that to run a protected widget it would have to be encrypted using that engine's public key. This is unwieldy and prevents you from just putting your software out there as a simple package for anyone to download. --Ed On Dec 30, 2006, at 10:18 AM, mozer wrote: > > > On 12/30/06, Ed Voas <voas@yahoo-inc.com> wrote: > > The problem I see with encrypting content is that you'll need to use > a shared secret. That secret will be in the source code of the widget > runner. This is something that I know our security peeps would have > an issue with. This is actually the main reason we don't have any > true encryption in our stuff to date. Does anyone know a good way to > pull this off with no shared secrets? > > That's the aim of asymetric encryption > The emittor has a private key > Emit a public key out of that private one > And encrypt with his private key > You can decrypt with the public key > But nobody can encrypt with the public key, so nobody share the > secret with the emittor > > Does this help you? > > Xmlizer > >
Received on Saturday, 30 December 2006 19:22:18 UTC