RE: Re: [BONDI Architecture & Security] [widgets] new digsig draft

Hi All,

As the author signature was something I had a hand in creating let me add my 2 pence worth.

Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. 

In [1] the current text says:

The author signature can be used to determine:

    * the author of a widget,
    * that the integrity of the widget is as the author intended,
    * and whether two widgets came from the same author. 

I would suggest changing this to:

The author signature can be used to:

    * authenticate the identity of the entity that added the author signature to the widget package,
    * confirm that no widget files have been modified, deleted or added since the generation of the author signature.

The author signature may be used to:
    * determine whether two widgets came from the same author. 

The reason the last point is a may is as follows:

If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed by someone who had access to that key. That would normally mean the same entity (author, company, whatever). If the owner of that key shares it with others then obviously this no longer is true. However, this is the choice of the owner of the key - normally you would not share your private key! 

One additional point to add. We also define a distributor signature. Distributor signatures cover the author signature. As such a distributor signature may (depending on other factors) be making an implicit statement that the distributor believes the owner of the author signature to be the widget's author.

Any clearer? 






>-----Original Message-----
>[] On Behalf Of Hillebrand, Rainer
>Sent: 26 March 2009 16:20
>Subject: AW: Re: [BONDI Architecture & Security] [widgets] new 
>digsig draft
>Dear Marcos,
>We cannot technically guarantee that the author signature 
>really comes from the widget's author. It is like having an 
>envelop with an unsigned letter. The envelop and the letter 
>can come from different sources even if the envelop has a signature.
>Best Regards,
>Sent from my mobile device
>----- Originalnachricht -----
>Von: Marcos Caceres <>
>An: Paddy Byers <>
>Cc: Hillebrand, Rainer; WebApps WG <>; 
> <>
>Gesendet: Thu Mar 26 17:12:20 2009
>Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig draft
>On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers <> wrote:
>> Hi,
>>> Agreed. Can we say "were signed with the same certificate" instead?
>> I understood that Webapps had agreed to add a signature profile that 
>> designates a particular signature as the author signature - 
>and where 
>> this is present it is possible to come up with appropriate precise 
>> wording as to whether or not two packages originate from the 
>same author.
>Well, that's basically what we have, but Rainer seems to imply 
>that it is impossible to do this. I think we get as close as 
>we technically can to achieving that goal. However, if that 
>current solution is inadequate, then please send us suggestions.
>Marcos Caceres
>T-Mobile International AG
>Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman)
>Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ 
>Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
>Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
>Steuer-Nr./Tax No.: 205 / 5777/ 0518
>USt.-ID./VAT Reg.No.: DE189669124
>Sitz der Gesellschaft/ Corporate Headquarters: Bonn

Received on Thursday, 26 March 2009 17:00:13 UTC