- From: Hillebrand, Rainer <Rainer.Hillebrand@t-mobile.net>
- Date: Thu, 26 Mar 2009 19:00:29 +0100
- To: <frederick.hirsch@nokia.com>, <Mark.Priestley@vodafone.com>
- Cc: <marcosc@opera.com>, <paddy@aplix.co.jp>, <public-webapps@w3.org>, <otsi-arch-sec@omtplists.org>
Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no technical relationship between the widget author and the owner of the author certificate that you can technically verify. Best Regards, Rainer --------------------------------------- Sent from my mobile device ----- Originalnachricht ----- Von: Frederick Hirsch <frederick.hirsch@nokia.com> An: ext Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com> Cc: Frederick Hirsch <frederick.hirsch@nokia.com>; Hillebrand, Rainer; marcosc@opera.com <marcosc@opera.com>; paddy@aplix.co.jp <paddy@aplix.co.jp>; public-webapps@w3.org <public-webapps@w3.org>; otsi-arch-sec@omtplists.org <otsi-arch-sec@omtplists.org> Gesendet: Thu Mar 26 18:34:57 2009 Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig draft I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:58 PM, ext Priestley, Mark, VF-Group wrote: > Hi All, > > As the author signature was something I had a hand in creating let > me add my 2 pence worth. > > Rainer is correct in that the author signature need not actually > come from the author of the widget. It comes from someone who claims > to be the widget's author. Whether you believe this claim depends on > how much you trust the signer. > > In [1] the current text says: > > [ > The author signature can be used to determine: > > * the author of a widget, > * that the integrity of the widget is as the author intended, > * and whether two widgets came from the same author. > ] > > I would suggest changing this to: > > [ > The author signature can be used to: > > * authenticate the identity of the entity that added the author > signature to the widget package, > * confirm that no widget files have been modified, deleted or > added since the generation of the author signature. > > The author signature may be used to: > * determine whether two widgets came from the same author. > ] > > The reason the last point is a may is as follows: > > If two widgets contain author signatures that were created using the > same private key then we can say that the widgets were both signed > by someone who had access to that key. That would normally mean the > same entity (author, company, whatever). If the owner of that key > shares it with others then obviously this no longer is true. > However, this is the choice of the owner of the key - normally you > would not share your private key! > > One additional point to add. We also define a distributor signature. > Distributor signatures cover the author signature. As such a > distributor signature may (depending on other factors) be making an > implicit statement that the distributor believes the owner of the > author signature to be the widget's author. > > Any clearer? > > Thanks, > > Mark > > > [1] http://dev.w3.org/2006/waf/widgets-digsig/Overview.html > > > > > > > > >> T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -----Original Message----- >> From: public-webapps-request@w3.org >> [mailto:public-webapps-request@w3.org] On Behalf Of Hillebrand, >> Rainer >> Sent: 26 March 2009 16:20 >> To: marcosc@opera.com; paddy@aplix.co.jp >> Cc: public-webapps@w3.org; otsi-arch-sec@omtplists.org >> Subject: AW: Re: [BONDI Architecture & Security] [widgets] new >> digsig draft >> >> Dear Marcos, >> >> We cannot technically guarantee that the author signature >> really comes from the widget's author. It is like having an >> envelop with an unsigned letter. The envelop and the letter >> can come from different sources even if the envelop has a signature. >> >> Best Regards, >> >> Rainer >> --------------------------------------- >> Sent from my mobile device >> >> >> ----- Originalnachricht ----- >> Von: Marcos Caceres <marcosc@opera.com> >> An: Paddy Byers <paddy@aplix.co.jp> >> Cc: Hillebrand, Rainer; WebApps WG <public-webapps@w3.org>; >> otsi-arch-sec@omtplists.org <otsi-arch-sec@omtplists.org> >> Gesendet: Thu Mar 26 17:12:20 2009 >> Betreff: Re: [BONDI Architecture & Security] [widgets] new digsig >> draft >> >> On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers <paddy@aplix.co.jp> >> wrote: >>> Hi, >>> >>>> Agreed. Can we say "were signed with the same certificate" instead? >>> >>> I understood that Webapps had agreed to add a signature profile that >>> designates a particular signature as the author signature - >> and where >>> this is present it is possible to come up with appropriate precise >>> wording as to whether or not two packages originate from the >> same author. >> >> Well, that's basically what we have, but Rainer seems to imply >> that it is impossible to do this. I think we get as close as >> we technically can to achieving that goal. However, if that >> current solution is inadequate, then please send us suggestions. >> >> -- >> Marcos Caceres >> http://datadriven.com.au >> >> >> T-Mobile International AG >> Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ >> Chairman) >> Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ >> Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender >> Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB >> 12276 >> Steuer-Nr./Tax No.: 205 / 5777/ 0518 >> USt.-ID./VAT Reg.No.: DE189669124 >> Sitz der Gesellschaft/ Corporate Headquarters: Bonn >> >> >
Received on Thursday, 26 March 2009 18:01:14 UTC