177
edits
Apps/Security/Distribution: Difference between revisions
→W3C XML Digital Signatures for Widgets
| Line 33: | Line 33: | ||
"Stores" correspond to the W3C's definition of "Distributors"; authors correspond to the B2G concept of "app developer". | "Stores" correspond to the W3C's definition of "Distributors"; authors correspond to the B2G concept of "app developer". | ||
The only problem with the W3C XML Widget Digital Signature Standard is that, compared to the infrastructure behind GNU/Linux Distributions, which have been deploying Chained-Signing for some considerable time and have a decades-long complete architecture, the W3C's standard was only ratified in late 2011 | The only problem with the W3C XML Widget Digital Signature Standard is that, compared to the infrastructure behind GNU/Linux Distributions, which have been deploying Chained-Signing for some considerable time and have a decades-long complete architecture, the W3C's standard was only ratified in late 2011. However, here are some implementations: | ||
* [http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html Java javax.xml.crypto.dsig package]: this appears to solely implement the Cryptographic portions of the API: it does ''not'' implement a complete store, nor any infrastructure for validating the packages, nor any infrastructure for downloading or distribution of packages. | * [http://docs.oracle.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html Java javax.xml.crypto.dsig package]: this appears to solely implement the Cryptographic portions of the API: it does ''not'' implement a complete store, nor any infrastructure for validating the packages, nor any infrastructure for downloading or distribution of packages. | ||
* There is a GSoC project to implement it in Apache Wookie, which already has student interest. There is therefore a strong possibility that an open source implementation will exist by the end of Summmer 2012. | |||
On the commercial side, the W3C XML Widget Digital Sigature has been implemented by Opera, Nokia, Vodafone, Samsung, Obigo, RIM and a bunch of web TV platforms as its part of a lot of other spec stacks in the mobile and TV space such as WAC, MPEG-U, HbbTV, CMX (etc). | |||
There have been some packaging and signing tools supporting the specs issued as part of SDKs, e.g. the Vodafone widget packager and the WAC SDK (possibly written by Samsung/Limo). The Blackberry webapps signing tools may also uses widgets-digsig as Blackberry Widgets are W3C Widgets. RIM may have RIM open-sourced most of their Widgets code last year so that may be another lead. | |||
=== Trusted store with permissions delegation === | === Trusted store with permissions delegation === | ||