Re: Widget Requirements: Updates vs security from Marcos Caceres on 2008-08-07 (public-webapps@w3.org from July to September 2008)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Thu, 7 Aug 2008 20:43:02 +1000
To: public-webapps@w3.org
Message-ID: <b21a10670808070343k2f5c6d2ahc0304b207f00d578@mail.gmail.com>

Hi Thomas,

On Thu, Aug 7, 2008 at 10:43 AM, Thomas Roessler <tlr@w3.org> wrote:
>
> While I'm on it...  I believe that we should add the following
> points to the automatic update requirement:
>
>  - Conforming specifications should ensure that updates are
>   authenticated.
>
>  - Conforming specifications should provide a mechanism to protect
>   against downgrade attacks using ancient versions of widgets.
>
>   (Essentially, version information should be part of the Widget,
>   signed, and evaluated upon updates.)
>
>  - Conforming specifications should apply signature verification
>   policies to updates that are consistent with those applied upon
>   original installation of the widget.

Ok, combining what we have already with your suggestions, the new text
now reads:

"A conforming specification MUST specify a model to allow widget user
agents to automatically check if a new version of a widget resource
has become available online or from local storage. A conforming
specification MUST recommend that an updated widget is downloaded only
with the user's consent and that users be able to cancel or defer
updates. An automatic update MUST preserve the identity of a widget,
meaning that that preferences previously set by the user are retained
after the update process. A conforming specification SHOULD recommend
that, when possible, automatic updates be conducted over a secure
communication channel. In addition, a conforming specification SHOULD
specify a means for updates to be are authenticated. A conforming
specification should also define a mechanism to protect against
downgrade attacks using ancient versions of widgets. A conforming
specification SHOULD specify that signature verification policies be
applied to updates in a manner that is consistent with those applied
upon original installation of the widget."

> I'm also wondering whether there is something to be said in the
> requirements document concerning the handling of possibly changing
> security declarations during updates.

Need to think about this one a bit more; particularly in regards to
use cases. For instance, in a new version of a widget, I might want to
add support for file access and access to another domain, but retain
the user's preset preferences. It would suck, as a developer, if I was
not allowed to do that.

-- 
Marcos Caceres
http://datadriven.com.au

Received on Thursday, 7 August 2008 10:43:47 UTC