Hi,
Unfortunately, no. For you to encrypt something that a widget engine
could read using asymmetrical encryption, I'd have to give you my
public key. So far so good, but then for me to read it, I'd still
need to have my private key in my software. Once there, it's
effectively compromised. Even if the private key was somehow
protected, you'd have to have the key to unlock it in your software.
The only way to mitigate that would be to have a system where each
copy of the software had its own private key and have it such that to
run a protected widget it would have to be encrypted using that
engine's public key. This is unwieldy and prevents you from just
putting your software out there as a simple package for anyone to
download.
--Ed
On Dec 30, 2006, at 10:18 AM, mozer wrote:
On 12/30/06, Ed Voas <[EMAIL PROTECTED]> wrote:
The problem I see with encrypting content is that you'll need to use
a shared secret. That secret will be in the source code of the widget
runner. This is something that I know our security peeps would have
an issue with. This is actually the main reason we don't have any
true encryption in our stuff to date. Does anyone know a good way to
pull this off with no shared secrets?
That's the aim of asymetric encryption
The emittor has a private key
Emit a public key out of that private one
And encrypt with his private key
You can decrypt with the public key
But nobody can encrypt with the public key, so nobody share the
secret with the emittor
Does this help you?
Xmlizer
