ISSUE-19: Widgets digital Signatures spec does not meet required use cases and requirements [Widgets] from Web Applications Working Group Issue Tracker on 2008-06-27 (public-webapps@w3.org from April to June 2008)

From: Web Applications Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Fri, 27 Jun 2008 03:54:45 +0000 (GMT)
To: public-webapps@w3.org
Message-Id: <20080627035445.99BB06B62A@kent.w3.org>

ISSUE-19: Widgets digital Signatures spec does not meet required use cases and requirements  [Widgets]

http://www.w3.org/2008/webapps/track/issues/

Raised by: Marcos Caceres
On product: Widgets

R11. Digital Signature
A conforming specification must specify a means to digitally sign resources in a widget resource and a processing model for verifying the authenticity and the data integrity of the widget resource. The digital signature scheme must be compatible with existing Public Key Infrastructures (PKI), particularly X.509 digital certificates. In addition, the recommended digital signature format should support certificate chaining and the ability for a package to be signed by multiple authorities (i.e., multiple signatures).

The current Widgets 1.0: Digital Signature spec does not meet these requirements [1]. 

We currently only solve the problem for one signer signing the widget. 

We need to find solutions for:

1. Signing the package and allowing certificate chaining:
    signature.xml = A signs B signs...N signs widget files

2. Allowing multiple parties to sign the certificate in a separate file:
    SignatureB signs signatureA signs widget files

3. Allowing parallel signatures to sign the contents of a package:
   SignatureA signs widget files
   SignatureB signs widget files

We are still exploring if there are any use cases for a mixed-mode, e.g.:
 SignatureA signs widget files
 SignatureB signs widget files
 SignatureC signs SignatureA

[1] http://dev.w3.org/2006/waf/widgets-digsig/

Received on Friday, 27 June 2008 03:56:24 UTC