Re: [Widgets requirements]

Hi,

Unfortunately, no. For you to encrypt something that a widget engine  
could read using asymmetrical encryption, I'd have to give you my  
public key. So far so good, but then for me to read it, I'd still  
need to have my private key in my software. Once there, it's  
effectively compromised. Even if the private key was somehow  
protected, you'd have to have the key to unlock it in your software.  
The only way to mitigate that would be to have a system where each  
copy of the software had its own private key and have it such that to  
run a protected widget it would have to be encrypted using that  
engine's public key. This is unwieldy and prevents you from just  
putting your software out there as a simple package for anyone to  
download.

--Ed

On Dec 30, 2006, at 10:18 AM, mozer wrote:

>
>
> On 12/30/06, Ed Voas <voas@yahoo-inc.com> wrote:
>
> The problem I see with encrypting content is that you'll need to use
> a shared secret. That secret will be in the source code of the widget
> runner. This is something that I know our security peeps would have
> an issue with. This is actually the main reason we don't have any
> true encryption in our stuff to date. Does anyone know a good way to
> pull this off with no shared secrets?
>
> That's the aim of asymetric encryption
> The emittor has a private key
> Emit a public key out of that private one
> And encrypt with his private key
> You can decrypt with the public key
> But nobody can encrypt with the public key, so nobody share the  
> secret with the emittor
>
> Does this help you?
>
> Xmlizer
>
>

Received on Saturday, 30 December 2006 19:22:18 UTC