- From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
- Date: Thu, 19 Feb 2009 20:33:30 +0100
- To: "public-webapps" <public-webapps@w3.org>
- Message-ID: <0BE18111593D8A419BE79891F6C46909028E798F@EITO-MBX01.internal.vodafone.com>
Hi All,
In response to:
Action #224 - Work with Marcos to flesh out the details of the
processing model for multiple signatures; Mark and Marcos -
http://www.w3.org/2008/webapps/track/actions/224
<http://www.w3.org/2008/webapps/track/actions/224>
I have outlined two alternative approaches to address the issues that
currently exist with the processing of multiple digital signatures (see
below). Both approaches need some word-smithing but hopefully they
provide a decent starting point for us to agree an approach. FWIW I
think I prefer Approach 2.
Some things to note.
1. The "signed" variable of the configuration document is no longer set
(and should be deleted). I can't think of anyway to make this variable
useful, especially with multiple signatures and the definition of
different "types" of signature.
2. The dependency on the Digital Signature spec is nearly completely
removed. There is actually one thing that I think needs to be added -
how to find the "author signature", but otherwise I think we the
specifications can be decoupled.
3. The more I've been thinking about it recently, the more I've come to
the conclusion that we should avoid specify anything that equates to a
security policy. This is what I have tried to do below, although this
does make it necessary to rather obliquely refer to security policies.
Thoughts and comments welcomed.
Thanks,
Mark
------------------------------------------
Approach 1
------------------------------------------
Step 5 - Process the Digital Signatures
Note: The way in which both the author digital signature and distributor
digital signature(s) are used is dependent on the security policy
implemented by the widget user agent. As such, it is expected that a
widget user agent implementing [Widgets-DigSig]
<http://www.w3.org/TR/2008/WD-widgets-20081222/#widgets-digsig> will
process any digital signatures according to the following algorithm. It
is however recognised that a security policy might not require the
processing of all of the digital signatures included in the widget
package. A widget user agent is therefore able to exit the processing of
distributor digital signatures once it has established the information
necessary to inform the security decision making process represented by
its security policy, eg a signature from a particular end entity has
been verified or confirmed as revoked.
Exit criteria - A result or set of results from the application of the
Procedure for Verifying a Digital Signature Document in the
[Widgets-DigSig]
<http://www.w3.org/TR/2008/WD-widgets-20081222/#widgets-digsig> to one
or more digital signatures that satisfies, positively or negatively, the
widget user agents security policy.
1. If present, the widget user agent should apply the Procedure for
Verifying a Digital Signature Document, as defined in the
[Widgets-DigSig]
<http://www.w3.org/TR/2008/WD-widgets-20081222/#widgets-digsig>
specification, to the author signature.
2. If the widget user agent determines that an exit criteria has
been met:
a. If the widget user agent determins that the
widget is a valid widget, terminate this algorithm and go to step 6
<http://www.w3.org/TR/2008/WD-widgets-20081222/#step-6-determine-the-bas
e-folder-and-widget-locale> .
b. If the widget user agent
determines that the widget is an invalid widget, apply the rules for
dealing with invalid widgets.
3. Starting with the first file entry in the signatures list;
a. Apply the Procedure for Verifying a Digital Signature Document,
as defined in the [Widgets-DigSig]
<http://www.w3.org/TR/2008/WD-widgets-20081222/#widgets-digsig>
specification, to the file entry;
b. If the widget user agent determines that an exit criteria has
been met:
i. If
the widget user agent determines that the widget is a valid widget,
terminate this algorithm and go to step 6
<http://www.w3.org/TR/2008/WD-widgets-20081222/#step-6-determine-the-bas
e-folder-and-widget-locale> .
ii. If
the widget user agent determines that the widget is an invalid widget,
apply the rules for dealing with invalid widgets,
c. Otherwise, select the next file entry
<http://www.w3.org/TR/2008/WD-widgets-20081222/#file-entry> in the
signatures <http://www.w3.org/TR/2008/WD-widgets-20081222/#signatures>
list and go to 3a in this algorithm.
4. If all of the file entries in signatures have been processed and
no exit criteria has been met, go to step 6
<http://www.w3.org/TR/2008/WD-widgets-20081222/#step-6-determine-the-bas
e-folder-and-widget-locale> .
------------------------------------------
Approach 2
------------------------------------------
Step 5 - Process the Digital Signatures
It is expected that the widget user agent will process the digital
signatures in accordance with its security policy. This will involve the
widget user agent processing zero or more of the identified digital
signatures.
The widget user agent must process digital signatures by applying the
Procedure for Verifying a Digital Signature Document, as defined in
[Widgets-DigSig]
<http://www.w3.org/TR/2008/WD-widgets-20081222/#widgets-digsig> .
Unless the processing of the digital signatures results in an invalid
widget, go to step 6
Mark Priestley
Security Expert
Vodafone Group R&D
Mobile: +44 (0)7717512838
E-mail: mark.priestley@vodafone.com <mailto:mark.priestley@vodafone.com>
www.betavine.net <http://www.betavine.net/> - Web
betavine.mobi - Mobile Web
Vodafone Group Services Limited
Registered Office: Vodafone House, The Connection, Newbury, Berkshire
RG14 2FN Registered in England No 3802001
Received on Thursday, 19 February 2009 19:34:25 UTC