Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging & Configuration spec

On Mon, Mar 2, 2009 at 2:56 PM, Hillebrand, Rainer
<> wrote:
> Dear Marcos,
> In order to detect a man-in-the-middle-attack, a widget resource is signed, either by an author's certificate that I trust or by an author certificate and a distributor certificate that I trust. "that I trust" means that I have the proven public keys for these certificates. If an attacker replaces or adds a file in the widget resource after it was signed then the signatures will be invalid. If the signatures are stripped off, a file is replaced or added and the widget resource is signed again with another certificate that I do not trust then the attack will fail when checking the signature.

Yes, I am only really concerned with the case whereby the signature is
removed (I'm aware that it is not possible to do any kind of
replacement or tampering of the sig). The security policy that we (Web
Apps) have been discussing would allow unsigned widgets to run with
full privileges by default. I also push for this model because I don't
think developers should have to pay for a cert to have their apps run
on a device.

> I would agree with you that a secure transport will be useful if the widget resource is unsigned or signed with an unknown certificate. Then it will be the decision of a security framework and its security policies how such a widget resource will be treated.

Agreed. A point of contention is whether we standardize a base
security policy or not. We might just leave that totally up to

Marcos Caceres

Received on Monday, 2 March 2009 14:03:32 UTC