incubator-wookie-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Wilson (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WOOKIE-139) Implement the W3C XML Digital Signatures for Widgets specification in Wookie
Date Wed, 07 Mar 2012 10:08:57 GMT

     [ https://issues.apache.org/jira/browse/WOOKIE-139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Scott Wilson updated WOOKIE-139:
--------------------------------

           Description: 
W3C XML Digital Signatures for Widgets specifies how both authors and distributors of widgets
can digitally sign a Widget package: 

The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/

This means that an organisation can choose to automatically install and update widgets that
carry recognised signatures - for example from a reputable online widget store (distributor)
or from an approved widget author rather than require admin intervention to approve them.


For Wookie this means implementing the mechanism for locating and verifying W3C signature.xml
files in Widgets, and providing signature management options. 

For example, we may want to have a configuration property set for requiring signatures be
checked, and a file where trusted signatories are listed for checking against when a new widget
is uploaded, or a new version is detected online using Widget Updates. 

We may also want to look at how Wookie can delegate upwards decisions based on signature verification,
for example to let an Apache Rave admin choose to allow automatic publishing of signed widgets
from trusted sources provided that Wookie has verified the signature and returned this information
to Rave. This could be handled in the response to uploading a widget to Wookie using the REST
API, e.g. adding <signature verified="true" type="author"/> to the metadata returned
in the response body.

  was:
We should implement DigSig, particularly for when we implement automatic updates (see WOOKIE-103)

The spec is here: http://www.w3.org/TR/widgets-digsig/

         Fix Version/s:     (was: 0.10.2)
                Labels: gsoc2012 mentor  (was: )
    Remaining Estimate:     (was: 168h)
     Original Estimate:     (was: 168h)
               Summary: Implement the W3C XML Digital Signatures for Widgets specification
in Wookie  (was: Implement Widget digital signatures)
    
> Implement the W3C XML Digital Signatures for Widgets specification in Wookie
> ----------------------------------------------------------------------------
>
>                 Key: WOOKIE-139
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-139
>             Project: Wookie
>          Issue Type: New Feature
>            Reporter: Scott Wilson
>              Labels: gsoc2012, mentor
>
> W3C XML Digital Signatures for Widgets specifies how both authors and distributors of
widgets can digitally sign a Widget package: 
> The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/
> This means that an organisation can choose to automatically install and update widgets
that carry recognised signatures - for example from a reputable online widget store (distributor)
or from an approved widget author rather than require admin intervention to approve them.

> For Wookie this means implementing the mechanism for locating and verifying W3C signature.xml
files in Widgets, and providing signature management options. 
> For example, we may want to have a configuration property set for requiring signatures
be checked, and a file where trusted signatories are listed for checking against when a new
widget is uploaded, or a new version is detected online using Widget Updates. 
> We may also want to look at how Wookie can delegate upwards decisions based on signature
verification, for example to let an Apache Rave admin choose to allow automatic publishing
of signed widgets from trusted sources provided that Wookie has verified the signature and
returned this information to Rave. This could be handled in the response to uploading a widget
to Wookie using the REST API, e.g. adding <signature verified="true" type="author"/>
to the metadata returned in the response body.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message