- From: Marcos Caceres <marcosc@opera.com>
- Date: Sun, 22 Feb 2009 15:38:46 +0100
- To: "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>
- Cc: public-webapps <public-webapps@w3.org>, "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>
Hi Rainer, 2009/2/13 Hillebrand, Rainer <Rainer.Hillebrand@t-mobile.net>: > Dear Marcos, > > From my point of view the current model as described by you is ok. The author of the update description document and the author of the widget resource that shall be updated are able to control the security level shall be reached. This is not mandated by the widget specifications family. If somebody wants to provide an unsigned update package via HTTP for a signed widget resource then this will not be prevented by a widget user agent. > Agreed. A lot of software out there already works over this model. I don't think it is worth over complicating it. Lets just keep it simple and let it work over HTTP/HTTPS. Adding more complexity is unnecessary IMHO. If it can be shown that HTTPS does not provide overall security needed to achieve a widget update, then I think we should consider throwing another signature into the mix. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
Received on Sunday, 22 February 2009 14:39:29 UTC