Re: ISSUE-19: Widgets digital Signatures spec does not meet required use cases and requirements [Widgets] from Arthur Barstow on 2009-03-05 (public-webapps@w3.org from January to March 2009)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Thu, 5 Mar 2009 12:16:05 -0500
To: Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <46FFBA59-ECBD-4AB0-8146-7834C28903BF@nokia.com>

During the March 5 widgets voice conference, the group agreed [1]  
this issue can be closed since the latest version of the Widgets  
Digital Signature spec [2] address this issues' concerns.

-Regards, Art Barstow

[1] <http://www.w3.org/2009/03/05-wam-minutes.html#item04>
[2] <http://dev.w3.org/2006/waf/widgets-digsig/>

On Jun 26, 2008, at 11:54 PM, ext Web Applications Working Group  
Issue Tracker wrote:

>
> ISSUE-19: Widgets digital Signatures spec does not meet required  
> use cases and requirements  [Widgets]
>
> http://www.w3.org/2008/webapps/track/issues/
>
> Raised by: Marcos Caceres
> On product: Widgets
>
> R11. Digital Signature
> A conforming specification must specify a means to digitally sign  
> resources in a widget resource and a processing model for verifying  
> the authenticity and the data integrity of the widget resource. The  
> digital signature scheme must be compatible with existing Public  
> Key Infrastructures (PKI), particularly X.509 digital certificates.  
> In addition, the recommended digital signature format should  
> support certificate chaining and the ability for a package to be  
> signed by multiple authorities (i.e., multiple signatures).
>
> The current Widgets 1.0: Digital Signature spec does not meet these  
> requirements [1].
>
> We currently only solve the problem for one signer signing the widget.
>
> We need to find solutions for:
>
> 1. Signing the package and allowing certificate chaining:
>     signature.xml = A signs B signs...N signs widget files
>
> 2. Allowing multiple parties to sign the certificate in a separate  
> file:
>     SignatureB signs signatureA signs widget files
>
> 3. Allowing parallel signatures to sign the contents of a package:
>    SignatureA signs widget files
>    SignatureB signs widget files
>
> We are still exploring if there are any use cases for a mixed-mode,  
> e.g.:
>  SignatureA signs widget files
>  SignatureB signs widget files
>  SignatureC signs SignatureA
>
> [1] http://dev.w3.org/2006/waf/widgets-digsig/
>
>
>
>
>

Received on Thursday, 5 March 2009 17:16:56 UTC