During the March 5 widgets voice conference, the group agreed [1]
this issue can be closed since the latest version of the Widgets
Digital Signature spec [2] address this issues' concerns.
-Regards, Art Barstow
[1] <http://www.w3.org/2009/03/05-wam-minutes.html#item04>
[2] <http://dev.w3.org/2006/waf/widgets-digsig/>
On Jun 26, 2008, at 11:54 PM, ext Web Applications Working Group
Issue Tracker wrote:
ISSUE-19: Widgets digital Signatures spec does not meet required
use cases and requirements [Widgets]
http://www.w3.org/2008/webapps/track/issues/
Raised by: Marcos Caceres
On product: Widgets
R11. Digital Signature
A conforming specification must specify a means to digitally sign
resources in a widget resource and a processing model for verifying
the authenticity and the data integrity of the widget resource. The
digital signature scheme must be compatible with existing Public
Key Infrastructures (PKI), particularly X.509 digital certificates.
In addition, the recommended digital signature format should
support certificate chaining and the ability for a package to be
signed by multiple authorities (i.e., multiple signatures).
The current Widgets 1.0: Digital Signature spec does not meet these
requirements [1].
We currently only solve the problem for one signer signing the widget.
We need to find solutions for:
1. Signing the package and allowing certificate chaining:
signature.xml = A signs B signs...N signs widget files
2. Allowing multiple parties to sign the certificate in a separate
file:
SignatureB signs signatureA signs widget files
3. Allowing parallel signatures to sign the contents of a package:
SignatureA signs widget files
SignatureB signs widget files
We are still exploring if there are any use cases for a mixed-mode,
e.g.:
SignatureA signs widget files
SignatureB signs widget files
SignatureC signs SignatureA
[1] http://dev.w3.org/2006/waf/widgets-digsig/