ISSUE-19: Widgets digital Signatures spec does not meet required use cases and requirements [Widgets]
http://www.w3.org/2008/webapps/track/issues/ Raised by: Marcos Caceres On product: Widgets R11. Digital Signature A conforming specification must specify a means to digitally sign resources in a widget resource and a processing model for verifying the authenticity and the data integrity of the widget resource. The digital signature scheme must be compatible with existing Public Key Infrastructures (PKI), particularly X.509 digital certificates. In addition, the recommended digital signature format should support certificate chaining and the ability for a package to be signed by multiple authorities (i.e., multiple signatures). The current Widgets 1.0: Digital Signature spec does not meet these requirements [1]. We currently only solve the problem for one signer signing the widget. We need to find solutions for: 1. Signing the package and allowing certificate chaining: signature.xml = A signs B signs...N signs widget files 2. Allowing multiple parties to sign the certificate in a separate file: SignatureB signs signatureA signs widget files 3. Allowing parallel signatures to sign the contents of a package: SignatureA signs widget files SignatureB signs widget files We are still exploring if there are any use cases for a mixed-mode, e.g.: SignatureA signs widget files SignatureB signs widget files SignatureC signs SignatureA [1] http://dev.w3.org/2006/waf/widgets-digsig/
