Re: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property from Frederick Hirsch on 2009-02-24 (public-webapps@w3.org from January to March 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Tue, 24 Feb 2009 17:37:52 -0500
To: ext Marcos Caceres <marcosscaceres@gmail.com>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, "Priestley, Mark, VF-Group" <Mark.Priestley@vodafone.com>, "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>, public-webapps <public-webapps@w3.org>
Message-Id: <90EA8BAC-8FC3-4A8C-8B3E-8A9B76EA68CF@nokia.com>

+1, I think the current Widget Signature draft reflects this point of  
view with the focus on author and distributor signatures and no usage  
or concern with updates specific to Widget Signature. That said, we  
may wish to review the update mechanism from a security point of view,  
but I don't believe that is specific to Widget Signature.

regards, Frederick

Frederick Hirsch
Nokia



On Feb 13, 2009, at 8:26 AM, ext Marcos Caceres wrote:

>
> 2009/2/12 Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>:
>>
>> [mp] As a general comment, I think this is a pretty difficult  
>> problem to address in a secure manner. IMO the most reliable way of  
>> authorising an update would be through the use of an "update  
>> signature" however, HTTPS provides a workable alternative and plain  
>> HTTP might be fine in other circumstances. For what it's worth I  
>> think that the real security issue is how the update is handled but  
>> this doesn't mean defining an "update signature" is not useful.
>>
>
> I agree that an update signature would be useful, but would like to
> see this just be solved with HTTP and HTTPS for v1. That should cover
> most use cases.
>
> Here is my current thinking. Widget version 1 is distributed and
> signed. The config looks like this:
>
> <widget version="1.0">
>   <update href="https://some.com/update?version=1.0" />
> </widget>
>
> Because the widget was signed, the update href can be considered
> authoritative/trusted. That securely downloads the update description
> document:
>
> <widgetupdate xmlns="http://www.w3.org/ns/widgets"
>  src="https://example.com/myWidget/v1.1b/awesome.wgt"
>  version="1.1"
>  id="http://example.com/myWidget"
>  size="1024"
>  notify="https://example.com/myWidget/updateManager.php?this-v=1.1&amp;was-v= 
> {version}">
>  <details href="http://a.com/myWidget/1.1/whatsnew">
>    We fixed some bugs and improved performance!
>  </details>
> </widgetupdate>
>
> The src is downloaded and treated as a normal widget package. If it is
> not signed, or the signature cannot be validated, then the usual
> warnings are given. If it is signed, then it is processed as normal.
>
> Is there much wrong with the current model?
>
> Kind regards,
> Marcos
> --
> Marcos Caceres
> http://datadriven.com.au
>

Received on Tuesday, 24 February 2009 22:39:56 UTC