[jira] [Commented] (WOOKIE-139) Implement the W3C XML Digital Signatures for Widgets specification in Wookie

[Pushpalanka Jayawardhana (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WOOKIE-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422957#comment-13422957
 ] 

Pushpalanka Jayawardhana commented on WOOKIE-139:
-------------------------------------------------

I have developed the digsig code as part of Wookie in the IDE. xercesImpl 2.0.2 
jar is in the classpath. I will try to apply the patch in my local machine and 
check.
                
> Implement the W3C XML Digital Signatures for Widgets specification in Wookie
> ----------------------------------------------------------------------------
>
>                 Key: WOOKIE-139
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-139
>             Project: Wookie
>          Issue Type: New Feature
>            Reporter: Scott Wilson
>              Labels: gsoc2012, mentor
>         Attachments: Signer_W3C_widget_digisg.patch, 
> Wookie_Widget_Signer_Guide, logo.png
>
>
> W3C XML Digital Signatures for Widgets specifies how both authors and 
> distributors of widgets can digitally sign a Widget package: 
> The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/
> This means that an organisation can choose to automatically install and 
> update widgets that carry recognised signatures - for example from a 
> reputable online widget store (distributor) or from an approved widget author 
> rather than require admin intervention to approve them. 
> For Wookie this means implementing the mechanism for locating and verifying 
> W3C signature.xml files in Widgets, and providing signature management 
> options. 
> For example, we may want to have a configuration property set for requiring 
> signatures be checked, and a file where trusted signatories are listed for 
> checking against when a new widget is uploaded, or a new version is detected 
> online using Widget Updates. 
> We may also want to look at how Wookie can delegate upwards decisions based 
> on signature verification, for example to let an Apache Rave admin choose to 
> allow automatic publishing of signed widgets from trusted sources provided 
> that Wookie has verified the signature and returned this information to Rave. 
> This could be handled in the response to uploading a widget to Wookie using 
> the REST API, e.g. adding <signature verified="true" type="author"/> to the 
> metadata returned in the response body.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira