[jira] [Updated] (WOOKIE-139) Implement the W3C XML Digital Signatures for Widgets specification in Wookie

Wed, 15 Aug 2012 07:20:39 -0700 

     [ 
https://issues.apache.org/jira/browse/WOOKIE-139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Scott Wilson updated WOOKIE-139:
--------------------------------

    Fix Version/s: 0.12.0
    
> Implement the W3C XML Digital Signatures for Widgets specification in Wookie
> ----------------------------------------------------------------------------
>
>                 Key: WOOKIE-139
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-139
>             Project: Wookie
>          Issue Type: New Feature
>            Reporter: Scott Wilson
>              Labels: gsoc2012, mentor
>             Fix For: 0.12.0
>
>         Attachments: logo.png, Signer_W3C_widget_digisg.patch, 
> verifying_digital_signatures_v2.patch, wookie-digsig-v1.patch, 
> Wookie_Widget_Signer_Guide
>
>
> W3C XML Digital Signatures for Widgets specifies how both authors and 
> distributors of widgets can digitally sign a Widget package: 
> The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/
> This means that an organisation can choose to automatically install and 
> update widgets that carry recognised signatures - for example from a 
> reputable online widget store (distributor) or from an approved widget author 
> rather than require admin intervention to approve them. 
> For Wookie this means implementing the mechanism for locating and verifying 
> W3C signature.xml files in Widgets, and providing signature management 
> options. 
> For example, we may want to have a configuration property set for requiring 
> signatures be checked, and a file where trusted signatories are listed for 
> checking against when a new widget is uploaded, or a new version is detected 
> online using Widget Updates. 
> We may also want to look at how Wookie can delegate upwards decisions based 
> on signature verification, for example to let an Apache Rave admin choose to 
> allow automatic publishing of signed widgets from trusted sources provided 
> that Wookie has verified the signature and returned this information to Rave. 
> This could be handled in the response to uploading a widget to Wookie using 
> the REST API, e.g. adding <signature verified="true" type="author"/> to the 
> metadata returned in the response body.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to