- From: Marcos Caceres <marcosscaceres@gmail.com>
- Date: Fri, 13 Feb 2009 23:26:38 +1000
- To: "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
- Cc: "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>, public-webapps <public-webapps@w3.org>
2009/2/12 Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>:
>
> [mp] As a general comment, I think this is a pretty difficult problem to address in a secure manner. IMO the most reliable way of authorising an update would be through the use of an "update signature" however, HTTPS provides a workable alternative and plain HTTP might be fine in other circumstances. For what it's worth I think that the real security issue is how the update is handled but this doesn't mean defining an "update signature" is not useful.
>
I agree that an update signature would be useful, but would like to
see this just be solved with HTTP and HTTPS for v1. That should cover
most use cases.
Here is my current thinking. Widget version 1 is distributed and
signed. The config looks like this:
<widget version="1.0">
<update href="https://some.com/update?version=1.0" />
</widget>
Because the widget was signed, the update href can be considered
authoritative/trusted. That securely downloads the update description
document:
<widgetupdate xmlns="http://www.w3.org/ns/widgets"
src="https://example.com/myWidget/v1.1b/awesome.wgt"
version="1.1"
id="http://example.com/myWidget"
size="1024"
notify="https://example.com/myWidget/updateManager.php?this-v=1.1&was-v={version}">
<details href="http://a.com/myWidget/1.1/whatsnew">
We fixed some bugs and improved performance!
</details>
</widgetupdate>
The src is downloaded and treated as a normal widget package. If it is
not signed, or the signature cannot be validated, then the usual
warnings are given. If it is signed, then it is processed as normal.
Is there much wrong with the current model?
Kind regards,
Marcos
--
Marcos Caceres
http://datadriven.com.au
Received on Friday, 13 February 2009 13:27:20 UTC