- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Thu, 7 Aug 2008 20:43:02 +1000
- To: public-webapps@w3.org
Hi Thomas, On Thu, Aug 7, 2008 at 10:43 AM, Thomas Roessler <tlr@w3.org> wrote: > > While I'm on it... I believe that we should add the following > points to the automatic update requirement: > > - Conforming specifications should ensure that updates are > authenticated. > > - Conforming specifications should provide a mechanism to protect > against downgrade attacks using ancient versions of widgets. > > (Essentially, version information should be part of the Widget, > signed, and evaluated upon updates.) > > - Conforming specifications should apply signature verification > policies to updates that are consistent with those applied upon > original installation of the widget. Ok, combining what we have already with your suggestions, the new text now reads: "A conforming specification MUST specify a model to allow widget user agents to automatically check if a new version of a widget resource has become available online or from local storage. A conforming specification MUST recommend that an updated widget is downloaded only with the user's consent and that users be able to cancel or defer updates. An automatic update MUST preserve the identity of a widget, meaning that that preferences previously set by the user are retained after the update process. A conforming specification SHOULD recommend that, when possible, automatic updates be conducted over a secure communication channel. In addition, a conforming specification SHOULD specify a means for updates to be are authenticated. A conforming specification should also define a mechanism to protect against downgrade attacks using ancient versions of widgets. A conforming specification SHOULD specify that signature verification policies be applied to updates in a manner that is consistent with those applied upon original installation of the widget." > I'm also wondering whether there is something to be said in the > requirements document concerning the handling of possibly changing > security declarations during updates. Need to think about this one a bit more; particularly in regards to use cases. For instance, in a new version of a widget, I might want to add support for file access and access to another domain, but retain the user's preset preferences. It would suck, as a developer, if I was not allowed to do that. -- Marcos Caceres http://datadriven.com.au
Received on Thursday, 7 August 2008 10:43:47 UTC