Re: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property

Hi Rainer,
2009/2/13 Hillebrand, Rainer <>:
> Dear Marcos,
> From my point of view the current model as described by you is ok. The author of the update description document and the author of the widget resource that shall be updated are able to control the security level shall be reached. This is not mandated by the widget specifications family. If somebody wants to provide an unsigned update package via HTTP for a signed widget resource then this will not be prevented by a widget user agent.

Agreed. A lot of software out there already works over this model. I
don't think it is worth over complicating it. Lets just keep it simple
and let it work over HTTP/HTTPS. Adding more complexity is unnecessary
IMHO. If it can be shown that HTTPS does not provide overall security
needed to achieve a widget update, then I think we should consider
throwing another signature into the mix.

Kind regards,
Marcos Caceres

Received on Sunday, 22 February 2009 14:39:29 UTC