New Role in T-Mobile Germany
Dear Art, All, After commuting about 200km each day over more than three years I will go back to T-Mobile Germany in Münster that is nearer to the place where I live. I will leave Deutsche Telekom AG Headquarters (former T-Mobile International) by the end of August. So, I want to take the opportunity to say thank you and good bye to all of you. It was a pleasure for me working with you on the specifications for widgets. Regardless of my new role, I will keep on privately developing widgets and hoping to provide releases that work on all web runtimes. All the best and take care. Best Regards, Rainer * Deutsche Telekom AG Service Zentrale/Headquarters Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn +49 228 936-13916 (Tel) +49 228 936-18406 (Fax) +49 171 5211056 (Mobile) E-Mail: rainer.hillebr...@t-mobile.net http://www.telekom.de Life is for sharing. This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. Deutsche Telekom AG Aufsichtsrat/ Supervisory Board: Prof. Dr. Ulrich Lehner (Vorsitzender/ Chairman) Vorstand/ Board of Management: René Obermann (Vorsitzender/ Chairman), Hamid Akhavan, Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme, Timotheus Höttges, Guido Kerkhoff, Thomas Sattelberger Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 6794, Registered Office Bonn USt.-ID./VAT Reg.No.: DE123475223 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: New Widgets AE Editors Draft
Dear Arve, Here are my comments on your Widgets AE last editor's draft. 1. Change A environment in which a Widget interface is presented to the user. to An environment in which a Widget interface is presented to the user. 2. All URLs in the Step 8 hyperlinks in section The Widget Interface have a backslash at the end. 3. Section The Widget Interface, definitions of viewMode to version attributes: e.g. Upon instantiation, this attribute MUST be set to the value of widget window mode, which is derived from the configuration defaults from processing the configuration document in the [Widgets-Packaging] specification (Step 8). In step 3 of [Widgets-Packaging], a user agent must assume the defined default values. In step 7, the configuration document is processed. So, Step 8 seems to be the wrong step. According to my understanding, when a widget uses the Widget interface, step 3 and step 7 were already processed. This means the return value is either the default value or the value that was set in the configuration document. Isn't it the case for all readonly attributes? Only the definition of the identifier attribute contains the if one was used in the configuration document condition. What would you think about a definition like The identifier attribute represents the value of widget element's id attribute, if one was used in the configuration document ([Widgets-Packaging], Step 7). Otherwise, this attribute MUST be set to the value of widget id, which is derived from the configuration defaults from processing the widget resource in the [Widgets-Packaging] specification (Step 3). which could be easily reused for the other readonly attribute definitions? 4. Section The Widget Interface: The authorName attribute represents the name of the person who authored the widget. According to the current PC, an author element represents people or an organization attributed with the creation of the widget. So, authorName will not always contain the widget's author name. It could also be the name of an organisation or a company. I would like to propose changing The authorName attribute represents the name of the person who authored the widget. to The authorName attribute represents people or an organization attributed with the creation of the widget. 5. Section The Widget Interface: Change [...] configuration document as specified in [Widgets]. to [...] configuration document as specified in [Widgets-Packaging]. 6. Section The Widget Interface: Change The onmodechange attribute MAY hold a a function that is [...] to The onmodechange attribute MAY hold a function that is [...]. 7. Section The onmodechange Callback: This section contains the term currentMode two times. However, this attribute is not defined. It can't be viewMode because viewMode is either the default value from PC Step 3 or the value from PC Step 7. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Screenshots and case sensitive file names
Dear Marcos, See my comments inline. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: marcosscace...@gmail.com [mailto:marcosscace...@gmail.com] On Behalf Of Marcos Caceres Sent: Montag, 20. April 2009 15:22 To: Hillebrand, Rainer Cc: public-webapps Subject: Re: [widgets] Screenshots and case sensitive file names Hi Rainer, On Mon, Mar 16, 2009 at 3:11 PM, Hillebrand, Rainer rainer.hillebr...@t-mobile.net wrote: Dear Marcos, The current version W3C Working Draft 11 March 2009 does not mention the gallery in Chapter 6.9: A screenshot is an optional file inside the widget resource that graphically represents the widget in a running state. Well, the question is what is a running state and which kind of application uses the screenshot. As it is written in the draft spec it could also be used by the WUA to graphically represent a widget. I would assume that it is out of scope for the PC to define which application uses a screenshot for which purpose. As we discarded screenshots, I guess that addresses the confusion. Ok! By the way, the current CSS settings move the text to the left so that I cannot see the whole text after Chapter 7.7 in an IE 6.0. I can only suggest using a modern browser that supports Web standards... have you tried Opera?;) I do not have a choice in T-Mobile but your page uses valid CSS code. I privately use Opera and Opera Mobile besides other browsers for testing my web pages and widgets. ;-) Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
RE: [BONDI Architecture Security] [widgets] new digsig draft
Dear Marcos, I hope to have less critical comments than in my last feedback email. 1. Section 7.1: change The ds:SignatureMethod algorithm used in the ds:SignatureValue element MUST one of the signature algorithms. to The ds:SignatureMethod algorithm used in the ds:SignatureValue element MUST be one of the signature algorithms. 2. Section 7.1: The ds:KeyInfo element MAY be included and MAY include certificate, CRL and/or OCSP information.: CRL and OCSP are not defined before. Do you have a reference for these abbreviations? 3. Section 7.3: The set of acceptable trust anchors, and policy decisions based on the signer's identity are established through a security-critical out-of-band mechanism. I do not really understand this sentence. This is not subject for the processing rules, isn't it? What is an acceptable trust anchor? Are they really established or may they be established? 4. Section 8: change Care should be taken to avoid resource exhaustion attacks through maliciously crafted Widget archives during signature verification. to Care should be taken to avoid resource exhaustion attacks through maliciously crafted [widget package]s during signature validation. 5. Section 8: change Implementations should be careful about trusting path components found in the zip archive to Implementations should be careful about trusting path components found in the [widget package] 6. Section 8: change and naive unpacking of widget archives into to and naive unpacking of [widget package]s into 7. Section 8: change e.g., overwriting of startup or system files to e.g. overwriting of startup or system files 8. Section 8: change There is no single signature file that includes all contents of a widget, including all of the signatures. to There is no single signature file that includes all files of a [widget package], including all of the signature files. 9. Section 8: change This leaves a widget package subject to an attack where distributor signatures can be removed (and an author signature if any corresponding distributor signature is also removed), or added. to This leaves a widget package subject to an attack where distributor signatures can be removed or added. An author signature could also be attacked by removing it and any distributor signatures if they are present. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [BONDI Architecture Security] [widgets] new digsig draft
Dear Marcos, I have some proposals for editorial changes. 1. Section 1.2: change which MAY logically contains to which MAY logically contain 2. Section 1.2: An unsigned widget package is a widget package that does not contain any signature files. It is left to the user agent's security policy how to deal with unsigned widget packages. Doesn't the same apply to signed widget packages, too? There is no W3C right now that specifies how a user agent shall deal with signed widget packages. I suggest to delete the sentence It is left to the user agent's security policy how to deal with unsigned widget packages. 3. Section 1.2: Rules are concatenated by being written next to each other and a rule prep ended by * means zero or more. I would suggest to split this sentence into two: Rules are concatenated by being written next to each other. A rule prep ended by * means zero or more. What is a rule prep? 4. Section 2: change this specification supports SHA-256 the reference element and ds:SignedInfo element to this specification supports SHA-256, the reference element and ds:SignedInfo element 5. Section 3: Implementers are encouraged to provide mechanisms to enable end-users to install additional root certificates. Trust in a root certificate is established through a security critical mechanism implemented by the user agent that is out of scope for this specification. A root certificate could be used for TLS as well but we mean certificates for widget package signature verification. additional could imply that a user agent is always provided with at least one certificate which does not need to be the case. Therefore, I would like to propose to change this part to Implementers are encouraged to provide mechanisms to enable end-users to install certificates for widget package digital signature verification. Trust in a certificate is established through a security critical mechanism implemented by the user agent that is out of scope for this specification. 6. Section 4: Process the signature files in the signatures list in descending order, with distributor signatures first (if any). The processing is not defined before and it is unclear whether there is a difference between processing and signature validation. Suggestion: Validate the signature files in the signatures list in descending order, with distributor signatures first (if any). 7. Section 5.1: change in [XML-Schema-Datatypes])within to in [XML-Schema-Datatypes]) within 8. Section 5.2: change header Author Signatures to Author Signature because we have zero or one author signature. 9. Section 5.2: and whether two widgets came from the same author: Two signed widgets that were signed with the same certificate only indicate that these both widgets were signed with the same certificate. The signatures do not enable any confidence in the relationship between a widget author and a widget signer. There are no means that hinder me as an attacker to strip off all widget's signatures, sign it with my own certificate with which I signed another but rogue widget from somebody else. Therefore, I would recommend to delete this bullet point. 10. Section 5.2: change A widget package MAY contain zero or one author signatures. to A widget package MAY contain zero or one author signature. More change proposals may come tomorrow (if identified tomorrow). Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whether or not two packages originate from the same author. Well, that's basically what we have, but Rainer seems to imply that it is impossible to do this. I think we get as close as we technically can to achieving that goal. However, if that current solution is inadequate, then please send us suggestions. -- Marcos Caceres http://datadriven.com.au T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
AW: RE: Re: [BONDI Architecture Security] [widgets] new digsig draft
Dear Mark, I agree to use your text. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: otsi-arch-sec-ow...@omtp.ieee-isto.org otsi-arch-sec-ow...@omtp.ieee-isto.org An: Hillebrand, Rainer; marc...@opera.com marc...@opera.com; pa...@aplix.co.jp pa...@aplix.co.jp Cc: public-webapps@w3.org public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:58:03 2009 Betreff: RE: Re: [BONDI Architecture Security] [widgets] new digsig draft Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. In [1] the current text says: [ The author signature can be used to determine: * the author of a widget, * that the integrity of the widget is as the author intended, * and whether two widgets came from the same author. ] I would suggest changing this to: [ The author signature can be used to: * authenticate the identity of the entity that added the author signature to the widget package, * confirm that no widget files have been modified, deleted or added since the generation of the author signature. The author signature may be used to: * determine whether two widgets came from the same author. ] The reason the last point is a may is as follows: If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed by someone who had access to that key. That would normally mean the same entity (author, company, whatever). If the owner of that key shares it with others then obviously this no longer is true. However, this is the choice of the owner of the key - normally you would not share your private key! One additional point to add. We also define a distributor signature. Distributor signatures cover the author signature. As such a distributor signature may (depending on other factors) be making an implicit statement that the distributor believes the owner of the author signature to be the widget's author. Any clearer? Thanks, Mark [1] http://dev.w3.org/2006/waf/widgets-digsig/Overview.html T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Hillebrand, Rainer Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature profile that designates a particular signature as the author signature - and where this is present it is possible to come up with appropriate precise wording as to whether or not two packages originate from the same author. Well, that's basically what we have, but Rainer seems to imply that it is impossible to do this. I think we get as close as we technically can to achieving that goal. However, if that current solution is inadequate, then please send us suggestions. -- Marcos Caceres http://datadriven.com.au T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der
AW: Re: [BONDI Architecture Security] [widgets] new digsig draft
Dear Frederick, The intent is clear but the technical solution will only provide confidence if you trust the owner of the author certificate. If you trust the owner then it is very likely for you that a widget with this author signature really comes from this author. However, there is no technical relationship between the widget author and the owner of the author certificate that you can technically verify. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Frederick Hirsch frederick.hir...@nokia.com An: ext Priestley, Mark, VF-Group mark.priest...@vodafone.com Cc: Frederick Hirsch frederick.hir...@nokia.com; Hillebrand, Rainer; marc...@opera.com marc...@opera.com; pa...@aplix.co.jp pa...@aplix.co.jp; public-webapps@w3.org public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 18:34:57 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft I think I disagree, since the intent *is* to identify the author, that is the semantics, and this proposed change makes it less clear. Of course we can argue whether or not you achieve that if you cannot associate the signature with the author, but that is out of scope. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:58 PM, ext Priestley, Mark, VF-Group wrote: Hi All, As the author signature was something I had a hand in creating let me add my 2 pence worth. Rainer is correct in that the author signature need not actually come from the author of the widget. It comes from someone who claims to be the widget's author. Whether you believe this claim depends on how much you trust the signer. In [1] the current text says: [ The author signature can be used to determine: * the author of a widget, * that the integrity of the widget is as the author intended, * and whether two widgets came from the same author. ] I would suggest changing this to: [ The author signature can be used to: * authenticate the identity of the entity that added the author signature to the widget package, * confirm that no widget files have been modified, deleted or added since the generation of the author signature. The author signature may be used to: * determine whether two widgets came from the same author. ] The reason the last point is a may is as follows: If two widgets contain author signatures that were created using the same private key then we can say that the widgets were both signed by someone who had access to that key. That would normally mean the same entity (author, company, whatever). If the owner of that key shares it with others then obviously this no longer is true. However, this is the choice of the owner of the key - normally you would not share your private key! One additional point to add. We also define a distributor signature. Distributor signatures cover the author signature. As such a distributor signature may (depending on other factors) be making an implicit statement that the distributor believes the owner of the author signature to be the widget's author. Any clearer? Thanks, Mark [1] http://dev.w3.org/2006/waf/widgets-digsig/Overview.html T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Hillebrand, Rainer Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer --- Sent from my mobile device - Originalnachricht - Von: Marcos Caceres marc...@opera.com An: Paddy Byers pa...@aplix.co.jp Cc: Hillebrand, Rainer; WebApps WG public-webapps@w3.org; otsi-arch-...@omtplists.org otsi-arch-...@omtplists.org Gesendet: Thu Mar 26 17:12:20 2009 Betreff: Re: [BONDI Architecture Security] [widgets] new digsig draft On Thu, Mar 26, 2009 at 4:29 PM, Paddy Byers pa...@aplix.co.jp wrote: Hi, Agreed. Can we say were signed with the same certificate instead? I understood that Webapps had agreed to add a signature
RE: [widgets] Minutes from 25 February 2009 Widgets F2F Meeting
Dear Art, May I give feedback on an old action item regarding the preference for ECDSA vs. DSA. I hope that T-Mobile's position statement is not too late. T-Mobile favors ECDSA. DSA has no advantage regarding speed and memory consumption against the classic RSA. ECDSA improves the security level. Please note that ECDSA supports prime field cases and binary field cases. Especially the binary field cases are covered by patents. Due to the fact that different parameters for the elliptic curves can be used or are standardized, these parameters are relevant too. The NIST recommends fifteen elliptic curves (five prime curves and ten binary curves, see also http://en.wikipedia.org/wiki/Elliptic_curve_cryptography). The so-called Brainpool curves are preferred in Germany (see also http://www.ietf.org/internet-drafts/draft-lochter-pkix-brainpool-ecc-03.txt). Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Screenshots and case sensitive file names
Dear Marcos, IMO, it is a good idea to support multiple screenshots that are used to represent a widget in a running state. So, I support your proposal. The PC might not be the right place to define running state. Under the assumption that a widget could be in different running states multiple screenshots make sense, too. However, if we define the running states in another specification then it will be fine to associate these running states with the screenshots as well. If not, then a WUA will not know which screenshot to use. Different levels of preference are not sufficient for this purpose because the WUA does not know which running state has a higher level then another one. Shouldn't we associate each screenshot to zero or more running states? What would you think about: Usage Example 1: widget xmlns=http://www.w3.org/ns/widgets; screenshot src=/screenshots/mainscreen.jpg/ /widget Usage Example 2: widget xmlns=http://www.w3.org/ns/widgets; screenshot src=/screenshots/mainscreen.jpg stateinstalled/state staterunning/state /screenshot screenshot src=/screenshots/mini.jpg statebackground/state /screenshot screenshot src=/screenshots/default.jpg/ /widget default.jpg in example 2 is used for all other states. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Screenshots and case sensitive file names
Dear Marcos, The current version W3C Working Draft 11 March 2009 does not mention the gallery in Chapter 6.9: A screenshot is an optional file inside the widget resource that graphically represents the widget in a running state. Well, the question is what is a running state and which kind of application uses the screenshot. As it is written in the draft spec it could also be used by the WUA to graphically represent a widget. I would assume that it is out of scope for the PC to define which application uses a screenshot for which purpose. By the way, the current CSS settings move the text to the left so that I cannot see the whole text after Chapter 7.7 in an IE 6.0. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Minutes from 12 March 2009 Voice Conference
Dear Art, Regarding PC spec - Mandatory config file, I would like to give more information about my concerns. According to the current W3C Working Draft 9 March 2009, the config.xml file has a single mandatory element. This is the widget element. All its expected children elements and attributes are optional. Therefore I have got the impression that the config.xml file does not add any security. However, it will help to identify a zip archive as a widget if the media type and/or file extension are missing. To be clear, I do not have any objections against the config.xml file in general. I only have concerns regarding its potential to improve security. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Minutes from 12 March 2009 Voice Conference
Ok! * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: marcosscace...@gmail.com [mailto:marcosscace...@gmail.com] On Behalf Of Marcos Caceres Sent: Montag, 16. März 2009 15:34 To: Hillebrand, Rainer Cc: Arthur Barstow; public-webapps Subject: Re: [widgets] Minutes from 12 March 2009 Voice Conference On Mon, Mar 16, 2009 at 3:06 PM, Hillebrand, Rainer rainer.hillebr...@t-mobile.net wrote: Dear Art, Regarding PC spec - Mandatory config file, I would like to give more information about my concerns. According to the current W3C Working Draft 9 March 2009, the config.xml file has a single mandatory element. This is the widget element. All its expected children elements and attributes are optional. Therefore I have got the impression that the config.xml file does not add any security. However, it will help to identify a zip archive as a widget if the media type and/or file extension are missing. To be clear, I do not have any objections against the config.xml file in general. I only have concerns regarding its potential to improve security. Ok, forget the security aspects. Lets just say it identifies a widget as being a widget in the absence of a media type. -- Marcos Caceres http://datadriven.com.au
RE: [widgets-digsig] Editors Draft update and open issues
Dear Frederick, I agree with you and Mark to remove Only the first distributor signature MUST be processed. It may depend on a security policy which is currently not defined. It might be the first matching signature which can be successfully validated with a public key that is available to the WUA. The signatures' order in a widget resource does not need to have any influence. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Making config.xml mandatory
Dear Arve, Good point regarding OMTP/BONDI. BONDI supports a security framework for widgets and web pages (or non-widgets). On the other, if widgets in pre-existing implementations may use sensitive resources then I as an attacker would pack my rogue content in a widget resource, add the config.xml file and run my attack. In other words, the config.xml file does not prevent any attack. I agree with you that the config.xml file already supports security relevant features, like access network=true/. However, as long as we do not have any means to check whether a widget user agent could trust a widget and that it does not misuse the network access, then a widget user agent must always allow this network access. If the config.xml file is the major means to identify a zip archive as widget resource then we will not need to define the file extension wgt and the MIME type application/widget. IMHO, I do not see the config.xml as a security solution. I would agree with you that it might be required to define settings that do not have default values. Do we have such settings? Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Making config.xml mandatory
Dear Marcos, We already have defined two parameters that identify a zip archive as a widget resource: a) The content type in a server's response. b) The file extension for a widget resource that is distributed on memory cards for instance. Roughly thinking, I have the impression that this is sufficient. In case of a missing config.xml all default configuration settings should apply to such a widget resource. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec
Dear Marcos, I have some doubts that a secure transport of a widget resource is so important in case of a signed widget resource. I would agree with you that we currently do not know how a signature is considered because we do not have a security framework and security policies that would define the use of signatures. However, if a user agent implements a security framework that enforces security policies considering signed widget resources then a secure transport will not be required. The signature shall guarantee the widget resource's integrity and authenticity. What would a secure transport add? Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Marcos Caceres Sent: Dienstag, 24. Februar 2009 23:34 To: Frederick Hirsch Cc: ext Priestley, Mark, VF-Group; Barstow Art (Nokia-CIC/Boston); public-webapps Subject: Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec Hi Frederick, On Tue, Feb 24, 2009 at 11:19 PM, Frederick Hirsch frederick.hir...@nokia.com wrote: The Widget Signature spec is not an API definition so probably does not need to define how signature status information is returned. You are right, so agreed. I also agree that it would be incorrect to define in the Widget Signature spec whether or not a widget is valid, that is out of scope. Right again. The spec limits itself to signature validation. However I would not want to be prescriptive in the specification to the level of status return codes. Ok, makes sense. We may want to add a security considerations note along the lines of As distributor signatures are not included in an overall widget signature, it is possible for signatures to be added or removed and hence a secure channel for widget delivery might be preferable. Ok, that is also an important security consideration. Should definitely have that in the spec under security considerations or some such section. -- Marcos Caceres http://datadriven.com.au
RE: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec
Dear Marcos, I added my comments inline. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: marcosscace...@gmail.com [mailto:marcosscace...@gmail.com] On Behalf Of Marcos Caceres Sent: Montag, 2. März 2009 15:03 To: Hillebrand, Rainer Cc: public-webapps Subject: Re: Reminder: January 31 comment deadline for LCWD of Widgets 1.0: Packaging Configuration spec On Mon, Mar 2, 2009 at 2:56 PM, Hillebrand, Rainer rainer.hillebr...@t-mobile.net wrote: Dear Marcos, In order to detect a man-in-the-middle-attack, a widget resource is signed, either by an author's certificate that I trust or by an author certificate and a distributor certificate that I trust. that I trust means that I have the proven public keys for these certificates. If an attacker replaces or adds a file in the widget resource after it was signed then the signatures will be invalid. If the signatures are stripped off, a file is replaced or added and the widget resource is signed again with another certificate that I do not trust then the attack will fail when checking the signature. Yes, I am only really concerned with the case whereby the signature is removed (I'm aware that it is not possible to do any kind of replacement or tampering of the sig). The security policy that we (Web Apps) have been discussing would allow unsigned widgets to run with full privileges by default. RH: I will be concerned like you that a widget has access to all widget user agent resources regardless of whether: a) it was signed and signatures were left untouched, b) it was signed but the signatures were removed, c) it was unsigned and transported over a secure channel, d) it was unsigned and transported over an unprotected channel. As long as the PC does not specify any security mechanism that verifies the integrity and the authenticity of a widget resource and that has an influence on the access to widget user agent resources or the processing of the widget, then we have to live with this concern. Then we can only hope that WUA implementers provide their own security mechanism leading to fragmentation in this respect. I also push for this model because I don't think developers should have to pay for a cert to have their apps run on a device. RH: From my point of view, signing does not necessarily mean that a developer has to pay for it. On the other hand, I am aware of the note in the PC saying How a widget user agent uses a digital signature is determined by the security policy implemented by that widget user agent. As such, this specification does not mandate processing rules dependent on the verification of one or more digital signature documents or on the revocation status obtained for the certificates associated with a verified digital signature document. I would agree with you that a secure transport will be useful if the widget resource is unsigned or signed with an unknown certificate. Then it will be the decision of a security framework and its security policies how such a widget resource will be treated. Agreed. A point of contention is whether we standardize a base security policy or not. We might just leave that totally up to implementers. RH: I would recommend not to standardize a base security policy for all markets on the world. It would take too long. However, we might want to discuss for Widgets 2.0 whether we would try agreeing on a security framework defining what needs to be protected, how a security policy is defined (i.e. format, vocabulary) and how security policies could be provisioned or managed. -- Marcos Caceres http://datadriven.com.au
RE: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property
Dear Marcos, From my point of view the current model as described by you is ok. The author of the update description document and the author of the widget resource that shall be updated are able to control the security level shall be reached. This is not mandated by the widget specifications family. If somebody wants to provide an unsigned update package via HTTP for a signed widget resource then this will not be prevented by a widget user agent. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn
RE: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property
Hi Marcos, I am not aware of any feedback on your e-mail. Here is mine. Best Regards, Rainer * T-Mobile International Terminal Technology Rainer Hillebrand Head of Terminal Security Landgrabenweg 151, D-53227 Bonn Germany +49 171 5211056 (My T-Mobile) +49 228 936 13916 (Tel.) +49 228 936 18406 (Fax) E-Mail: rainer.hillebr...@t-mobile.net http://www.t-mobile.net This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck. T-Mobile International AG Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman) Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276 Steuer-Nr./Tax No.: 205 / 5777/ 0518 USt.-ID./VAT Reg.No.: DE189669124 Sitz der Gesellschaft/ Corporate Headquarters: Bonn -Original Message- From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On Behalf Of Marcos Caceres Sent: Dienstag, 27. Januar 2009 11:56 To: Priestley, Mark, VF-Group; public-webapps@w3.org Subject: Re: [widgets] Comment on Widgets 1.0: Digital Signatures - the Usage property Hi Mark, Some minor comments below. Bar a few clarifications, I mostly agree with your proposal. On 1/26/09 1:35 PM, Priestley, Mark, VF-Group mark.priest...@vodafone.com wrote: A possible solution to this problem would be to require an updates to be signed using the same private key that was used to sign the previous version of the widget archive. Essentially this update signature would securely link an update to an installed widget resource by nature of the fact that they had both been signed by someone with access to the same private key. I'm ok with this so long as it an auxiliary feature and that updates can be performed over plain-old HTTP without requiring a certificate. If an implementer chooses to deviate from this model by disallowing updates that lack a digital signature, that is their prerogative. Irrespective, I am of the position that we must architecture the update model to work without signatures and then progressibly enhance the update model firstly through HTTPS and then through signatures. RH: An update may not need to be signed. This depends on the original widget resource that shall be updated. An update for a widget resource should only be processed if it has the same or a higher security level than the original widget resource. For example, a signed widget resource that was installed from a memory card shall not be updated with an unsigned update package that was retrieved from a web server without SSL/TLS. On the other hand, a signed update package should update a widget resource that was retrieved from a web server without SSL/TLS.
