AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whether or not two packages originate from the same author. Well, that's basically what we have, but Rainer seems to imply that it is impossible to do this. I think we get as close as we technically can to achieving that goal. However, if that current solution is inadequate, then please send us suggestions. -- Marcos Caceres http://datadriven.com.au T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no technical relationship between the widget author and the owner of the author certificate that you can technically verify. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Frederick Hirsch frederick.hir...@nokia.com An: ext Priestley, Mark, VF-Group mark.priest...@vodafone.com Cc: Frederick Hirsch frederick.hir...@nokia.com; Hillebrand, Rainer; marc...@opera.com marc...@opera.com; pa...@aplix.co.jp pa...@aplix.co.jp; public-webapps@w3.org public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 18:34:57 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:58 PM, ext Priestley, Mark, VF-Group wrote: Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. In [1] the current text says: [ The author signature can be used to determine: * the author of a widget, * that the integrity of the widget is as the author intended, * and whether two widgets came from the same author. ] I would suggest changing this to: [ The author signature can be used to: * authenticate the identity of the entity that added the author signature to the widget package, * confirm that no widget files have been modified, deleted or added since the generation of the author signature. The author signature may be used to: * determine whether two widgets came from the same author. ] The reason the last point is a may is as follows: If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed by someone who had access to that key. That would normally mean the same entity (author, company, whatever). If the owner of that key shares it with others then obviously this no longer is true. However, this is the choice of the owner of the key - normally you would not share your private key! One additional point to add. We also define a distributor signature. Distributor signatures cover the author signature. As such a distributor signature may (depending on other factors) be making an implicit statement that the distributor believes the owner of the author signature to be the widget's author. Any clearer? Thanks, Mark [1] http://dev.w3.org/2006/waf/widgets-digsig/Overview.html T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Hillebrand, Rainer Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature
Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
What the author certificate lets you verify is whether a single party is taking responsibility for two widgets. There is indeed no *proof* of authorship here, but a statement that the signer is willing to assume the blame for being the widget's author. Which is all we need, no? -- Thomas Roessler, W3C t...@w3.org On 26 Mar 2009, at 19:00, Hillebrand, Rainer wrote: Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no technical relationship between the widget author and the owner of the author certificate that you can technically verify. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Frederick Hirsch frederick.hir...@nokia.com An: ext Priestley, Mark, VF-Group mark.priest...@vodafone.com Cc: Frederick Hirsch frederick.hir...@nokia.com; Hillebrand, Rainer; marc...@opera.com marc...@opera.com; pa...@aplix.co.jp pa...@aplix.co.jp ; public-webapps@w3.org public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 18:34:57 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:58 PM, ext Priestley, Mark, VF-Group wrote: Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. In [1] the current text says: [ The author signature can be used to determine: * the author of a widget, * that the integrity of the widget is as the author intended, * and whether two widgets came from the same author. ] I would suggest changing this to: [ The author signature can be used to: * authenticate the identity of the entity that added the author signature to the widget package, * confirm that no widget files have been modified, deleted or added since the generation of the author signature. The author signature may be used to: * determine whether two widgets came from the same author. ] The reason the last point is a may is as follows: If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed by someone who had access to that key. That would normally mean the same entity (author, company, whatever). If the owner of that key shares it with others then obviously this no longer is true. However, this is the choice of the owner of the key - normally you would not share your private key! One additional point to add. We also define a distributor signature. Distributor signatures cover the author signature. As such a distributor signature may (depending on other factors) be making an implicit statement that the distributor believes the owner of the author signature to be the widget's author. Any clearer? Thanks, Mark [1] http://dev.w3.org/2006/waf/widgets-digsig/Overview.html T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Hillebrand, Rainer Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar
Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
(removing cross-posting since it doesn't work for mail from everyone) I'd like to point out that section 5.2 says what an author signature *can* do. I'm strongly against muddying this to account for various edge cases - I agree with Thomas that the meaning is clear. However I understand the concern so suggest changing the following: The author signature can be used to determine: • the author of a widget, • that the integrity of the widget is as the author intended, • and whether two widgets came from the same author. to The author signature can be used to: • allow an author to sign the widget, and if the signing key be related to their identity allow determination of the author, • enable integrity protection of the widget as intended by the signer using the author role, • establish that two widgets with author signatures having used the same signing key are from the same party . regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:14 PM, ext Hillebrand, Rainer wrote: Hi Marcos! I agree with your suggestions. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Hillebrand, Rainer Cc: WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 16:24:22 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft Hi Rainer, On Thu, Mar 26, 2009 at 1:57 PM, Hillebrand, Rainer rainer.hillebr...@t-mobile.net wrote: Dear Marcos, I have some proposals for editorial changes. 1. Section 1.2: change which MAY logically contains to which MAY logically contain fixed. 2. Section 1.2: An unsigned widget package is a widget package that does not contain any signature files. It is left to the user agent's security policy how to deal with unsigned widget packages. Doesn't the same apply to signed widget packages, too? There is no W3C right now that specifies how a user agent shall deal with signed widget packages. I suggest to delete the sentence It is left to the user agent's security policy how to deal with unsigned widget packages. Deleted. 3. Section 1.2: Rules are concatenated by being written next to each other and a rule prep ended by * means zero or more. I would suggest to split this sentence into two: Rules are concatenated by being written next to each other. A rule prep ended by * means zero or more. What is a rule prep? Ok, split. Dunno what a prep is, so I removed it. 4. Section 2: change this specification supports SHA-256 the reference element and ds:SignedInfo element to this specification supports SHA-256, the reference element and ds:SignedInfo element fixed. 5. Section 3: Implementers are encouraged to provide mechanisms to enable end-users to install additional root certificates. Trust in a root certificate is established through a security critical mechanism implemented by the user agent that is out of scope for this specification. A root certificate could be used for TLS as well but we mean certificates for widget package signature verification. additional could imply that a user agent is always provided with at least one certificate which does not need to be the case. Therefore, I would like to propose to change this part to Implementers are encouraged to provide mechanisms to enable end- users to install certificates for widget package digital signature verification. Trust in a certificate is established through a security critical mechanism implemented by the user agent that is out of scope for this specification. Ok, I included your text, but modified it slightly: Implementers are encouraged to provide mechanisms to enable end-users to install certificates for enabling verification of digital signatures within the widget package. Trust in a certificate is established through a security critical mechanism implemented by the user agent, which is out of scope for this specification. 6. Section 4: Process the signature files in the signatures list in descending order, with distributor signatures first (if any). The processing is not defined before and it is unclear whether there is a difference between processing and signature validation. Suggestion: Validate the signature files in the signatures list in descending order, with distributor signatures first (if any). Fixed. 7. Section 5.1: change in [XML-Schema-Datatypes])within to in [XML-Schema-Datatypes]) within Fixed. 8. Section 5.2: change header Author Signatures to Author Signature because we have zero or one author signature. True. fixed. 9. Section 5.2: and whether two widgets came from the same author: Two signed widgets that were signed with the same certificate only indicate that these both widgets were signed with the same certificate. The signatures do not enable any confidence
Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
I think the draft provides enough assurance for the intended level of use. If you want higher levels of assurance more will be required, but I don't believe we have a requirement here for that. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:20 PM, ext Hillebrand, Rainer wrote: Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whether or not two packages originate from the same author. Well, that's basically what we have, but Rainer seems to imply that it is impossible to do this. I think we get as close as we technically can to achieving that goal. However, if that current solution is inadequate, then please send us suggestions. -- Marcos Caceres http://datadriven.com.au T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
I agree with what Thomas said as well. I suggest we think about whether we really need to change the specification since I read what is there as consistent with what Thomas wrote. The intent is to flag a signature as an author signature - more detail is in my opinion in the same category as policy and other such important considerations, which we have not detailed in the specification. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 5:06 PM, ext Marcin Hanclik wrote: Hi, I support this view. In the whole design of various widget signatures it seems important that there is a list of signatures and from this list one is the distinguished one. Naming of the signatures is not very important, I think. The term author is not defined anywhere. It does not have to be a human being. Probably sooner or later (depending on the market) the author could be someone/some entity/something who/that takes the responsibility for what the widget actually does - as pointed out by Thomas - or who/that initiated some idea behind the widget's functionality. What then the distributor signatures are for? I assume some responsibility could also be assigned to them, but it is out of the scope of the standard that is to only cover the technical aspects. Verification of integrity and signature are one thing, and responsibilities are covered by other agreements. I understand that the author signature could also be used to honour the actual developer (a person) of the widget, but this seems to be just some principle in the business world. Thanks. Kind regards, Marcin From: public-webapps-requ...@w3.org [public-webapps-requ...@w3.org] On Behalf Of Thomas Roessler [...@w3.org] Sent: Thursday, March 26, 2009 7:05 PM To: Hillebrand, Rainer Cc: frederick.hir...@nokia.com; mark.priest...@vodafone.com; marc...@opera.com ; pa...@aplix.co.jp; public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft What the author certificate lets you verify is whether a single party is taking responsibility for two widgets. There is indeed no *proof* of authorship here, but a statement that the signer is willing to assume the blame for being the widget's author. Which is all we need, no? -- Thomas Roessler, W3C t...@w3.org On 26 Mar 2009, at 19:00, Hillebrand, Rainer wrote: Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no technical relationship between the widget author and the owner of the author certificate that you can technically verify. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Frederick Hirsch frederick.hir...@nokia.com An: ext Priestley, Mark, VF-Group mark.priest...@vodafone.com Cc: Frederick Hirsch frederick.hir...@nokia.com; Hillebrand, Rainer; marc...@opera.com marc...@opera.com; pa...@aplix.co.jp pa...@aplix.co.jp ; public-webapps@w3.org public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 18:34:57 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:58 PM, ext Priestley, Mark, VF-Group wrote: Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. In [1] the current text says: [ The author signature can be used to determine: * the author of a widget, * that the integrity of the widget is as the author intended, * and whether two widgets came from the same author. ] I would suggest changing this to: [ The author signature can be used to: * authenticate the identity of the entity that added the author signature to the widget package, * confirm that no widget files have been modified, deleted or added since the generation of the author signature. The author signature may be used to: * determine whether two widgets came from the same author. ] The reason the last point is a may is as follows: If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed
RE: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Hi Thomas, Nice suggestion, but I am not sure whether it will survive in the real world and be abandoned or replaced by other interpretations. [I personally associate the author with the widget developer] Let's imagine I am a developer D of the widget W and I work for company C. Who is the actual author and what does it mean? Whose private key is used for author signature? Could e.g. the company C be the first distributor of the widget W and I remain the author and sign the widget with my private key? I am not sure whether it is feasible to map all the possible configurations of the relationships with 2-level signature architecture (author + distributors). Even then, the role names would not fit probably. Maybe this would be enough? The author signature binds the author's identity to the widget package. Then similarly: The distributor's signature binds the distributor's identity to the widget package. So it would be only about binding various entities with each other. Thanks. Kind regards, Marcin From: public-webapps-requ...@w3.org [public-webapps-requ...@w3.org] On Behalf Of Thomas Roessler [...@w3.org] Sent: Thursday, March 26, 2009 10:38 PM To: Hillebrand, Rainer Cc: marc...@opera.com; pa...@aplix.co.jp; public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Suggestion: The author signature asserts that the signing party is an author of the widget, and binds the author's identity to the widget package. Regards, -- Thomas Roessler, W3C t...@w3.org On 26 Mar 2009, at 17:20, Hillebrand, Rainer wrote: Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whether or not two packages originate from the same author. Well, that's basically what we have, but Rainer seems to imply that it is impossible to do this. I think we get as close as we technically can to achieving that goal. However, if that current solution is inadequate, then please send us suggestions. -- Marcos Caceres http://datadriven.com.au T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn Access Systems Germany GmbH Essener Strasse 5 | D-46047 Oberhausen HRB 13548 Amtsgericht Duisburg Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda www.access-company.com CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Re: [BONDI Architecture Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Hi, I have been trying to identify the term author in Widget specs. I think we're in danger of getting into details that are irrelevant for the PC specification. This spec should define what information is asserted by the presence of the author and distributor signatures. It is up to a consuming device, possibly defined by some other specification, to determine what actions are taken based on that asserted information. In BONDI we do have roles for the author and distributor signatures, and an implementation may perform specific actions based on the signatures that are provided. But, as Thomas says, the PC spec should confine itself to defining how a Widget Resource encodes the signature(s), and say something about what is being asserted, and by who. The author is simply some entity that has signed the Widget Resource, who is content to be identified as the creator or the originator of the content. Thanks - Paddy