Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging & Configuration spec

On Mon, Mar 2, 2009 at 2:01 PM, Hillebrand, Rainer
<> wrote:
> Dear Marcos,
> I have some doubts that a secure transport of a widget resource is so important in case of a signed widget resource. I would agree with you that we currently do not know how a signature is considered because we do not have a security framework and security policies that would define the use of signatures. However, if a user agent implements a security framework that enforces security policies considering signed widget resources then a secure transport will not be required. The signature shall guarantee the widget resource's integrity and authenticity. What would a secure transport add?

The way I see it, secure transport would add protection from a
signature being deleted from the archive or replaced all together,
with the inclusion of other files (i.e., protects from a
man-in-the-middle attack). There may be other things too, but I have
not thought of them yet.

Kind regards,
Marcos Caceres

Received on Monday, 2 March 2009 13:30:16 UTC