AW: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Dear Marcos,

We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature.

Best Regards,

Sent from my mobile device

----- Originalnachricht -----
Von: Marcos Caceres <>
An: Paddy Byers <>
Cc: Hillebrand, Rainer; WebApps WG <>; <>
Gesendet: Thu Mar 26 17:12:20 2009
Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig draft

On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers <> wrote:
> Hi,
>> Agreed. Can we say "were signed with the same certificate" instead?
> I understood that Webapps had agreed to add a signature profile that
> designates a particular signature as the author signature - and where this
> is present it is possible to come up with appropriate precise wording as to
> whether or not two packages originate from the same author.

Well, that's basically what we have, but Rainer seems to imply that it
is impossible to do this. I think we get as close as we technically
can to achieving that goal. However, if that current solution is
inadequate, then please send us suggestions.

Marcos Caceres

T-Mobile International AG
Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman)
Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
Steuer-Nr./Tax No.: 205 / 5777/ 0518
USt.-ID./VAT Reg.No.: DE189669124
Sitz der Gesellschaft/ Corporate Headquarters: Bonn

Received on Thursday, 26 March 2009 16:20:56 UTC