AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Hillebrand, Rainer
Dear Marcos, We cannot technically guarantee that the author signature really comes from the widget's author. It is like having an envelop with an unsigned letter. The envelop and the letter can come from different sources even if the envelop has a signature. Best Regards, Rainer

AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Hillebrand, Rainer
Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes from

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Thomas Roessler
Of Hillebrand, Rainer Sent: 26 March 2009 16:20 To: marc...@opera.com; pa...@aplix.co.jp Cc: public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Dear Marcos, We cannot technically guarantee that the author signature really comes

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
(removing cross-posting since it doesn't work for mail from everyone) I'd like to point out that section 5.2 says what an author signature *can* do. I'm strongly against muddying this to account for various edge cases - I agree with Thomas that the meaning is clear. However I understand

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
I think the draft provides enough assurance for the intended level of use. If you want higher levels of assurance more will be required, but I don't believe we have a requirement here for that. regards, Frederick Frederick Hirsch Nokia On Mar 26, 2009, at 12:20 PM, ext Hillebrand, Rainer

Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Frederick Hirsch
, March 26, 2009 7:05 PM To: Hillebrand, Rainer Cc: frederick.hir...@nokia.com; mark.priest...@vodafone.com; marc...@opera.com ; pa...@aplix.co.jp; public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft What the author

RE: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Marcin Hanclik
, March 26, 2009 10:38 PM To: Hillebrand, Rainer Cc: marc...@opera.com; pa...@aplix.co.jp; public-webapps@w3.org; otsi-arch-...@omtplists.org Subject: Re: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft Suggestion: The author signature asserts that the signing party is an author

Re: [BONDI Architecture Security] [widgets] Author, was: RE: AW: Re: [BONDI Architecture Security] [widgets] new digsig draft

2009-03-26 Thread Paddy Byers
Hi, I have been trying to identify the term author in Widget specs. I think we're in danger of getting into details that are irrelevant for the PC specification. This spec should define what information is asserted by the presence of the author and distributor signatures. It is up to a