>I'm not sure restricting access to a signature is desirable 
>since signatures are intended to be objects that can be 
>evaluated etc - there is even a widget requirement that they 
>can be removed and conveyed independently of the widget.
>Thus I assume access to the signature is possible outside the 
>context of the engine.

[mp] To be clear I was suggesting that access to signatures was
restricted from the widget after installation. I was not suggesting that
they were not more generally available. As you say access to signatures
after installation (outside of the widget) is useful and should be

>XML Signature is used in many applications where signatures 
>are to be shared and used - the idea is that it should be a 
>secure object in and of itself. If there is a security risk it 
>should then be addressed, but restricting access to the 
>signature should not be necessary.

[mp] See above comment - my explanation below explains that while
signatures may be secure in of themselves there is (an admittedly edge)
case in which the presence of multiple signatures could create a

>Addition or removal of signatures might be an issue however, 
>if signature elements are not included in overall integrity 
>protection of the entire widget. 

[mp] Yes, this is the cause of the issue but I think it is a necessary
behaviour if we are to allow multiple signatures, which is what we are
aiming for. 

>This might be mitigated to 
>some degree by certificate requirements, especially if widgets 
>are always required to be signed. We might want to clarify the 
>requirements, now they seem to require signing but the email 
>discussion suggests unsigned widgets as well.

[mp] I don't think this is necessary. The requirements, as I understand
them, require support for signed widgets but not that all widgets are
signed, which I think is fine. To address the issue I outlined below (if
we agree that it is an issue) we just need to make the signature files
unavailable to the widget at runtime. They are identified by a filename
pattern so this shouldn't be hard.

>Is there currently any specification of how policy is 
>expressed and handled in the context of widgets? I didn't see 
>anything on the wiki.  

[mp] Not in the W3C Widgets specs AFAIK

>Absent expressed policy, will widget installation and use be 
>If so then a simpler rule might be required for signature 
>validation success since there will be "nobody there" to 
>evaluate response codes.

[mp] I agree that we might need a simple default policy in the case that
there is "nobody there", but it should be possible to override this
policy if there is a policy has been implemented by "someone"

>Moreover, how is a policy engine to know what a verification 
>success/ failure for a variety of possible signature 
>usage/role types and/or signers to be handled, will rules be 
>expressed in terms of usage/role (e.g. distributor) and what 
>else? The model is not clear to me.

[mp] without meaning to provide a circular answer, I assume that this
will be down to the policy engine. What I think it is important for the
Digital Signatures spec to provide is the hooks for the policy engine to
act on. 

>> Hi Marcos,
>> More responses to your comments below (marked [mp]). Still 
>need to get 
>> back to you on the access element but I need to think about it a bit 
>> more first.
>> Thanks,
>> Mark
>>> ----------------------
>>> Step 5 Process the Digital Signatures
>>> We disagree with the stage 2, specifically "If the file entry is 
>>> deemed by the [Widgets-DigSig] to be an invalid widget, 
>then a widget 
>>> user agent must treat this widget as an invalid widget.", on two
>> grounds:
>>> (1) Because one signature is invalid it doesn't mean that 
>all of the 
>>> signatures are invalid;
>>> (2) Just because one signature or all signatures are 
>invalid does not 
>>> mean that the widget should not be installed, only that it should 
>>> _not_ be treated as a signed widget. The security policy of the 
>>> device
>>> might be configured not to install an unsigned widget or a widget 
>>> with
>>> an invalid signature but this should be dependent on the security 
>>> policy implemented.
>> Sorry, I think you might have misunderstood what I was trying to say 
>> here (probably I did not write it clearly enough). This assertion is 
>> here to deal with instances where the digital signature 
>deemed by the 
>> Widgets Dig Sig spec to be somehow fully broken or completely 
>> non-conforming in such a way that all processing must stop. I don't 
>> yet know if Widgets Dig Sig will spit out such a result for 
>any digsig 
>> it is processing, but it seemed like a good idea to put this in here 
>> at the time.
>> [mp] No this was pretty much my understanding. Maybe my 
>comment wasn't 
>> clear enough... IMO [Widgets-DigSig] should result in a list of 
>> signature status values. How the widget user agent responds to those 
>> values should be dependent on the security policy of the widget user 
>> agent.
>> In other words, this is something that is controlled by the Widgets 
>> Dig Sig spec. If it turns out that Widgets Dig Sig never 
>results in an 
>> invalid widget situation, then I will take this out. I've created a 
>> red note in the spec that says "Issue: [Widgets-DigSig] may never 
>> identify a widget package as invalid" as a reminder that we need to 
>> sort this out.
>> [mp] Well I would argue that the [Widgets-DigSig] will never 
>> a widget package as invalid although it may decide that one or more
>> signature(s) are invalid. The security policy of the device 
>may decide 
>> that the widget shouldn't be installed based on the result of 
>> processing the signature file(s) but that is a different thing. I 
>> think that best we can do in the P&C spec is say whether or not the 
>> widget is signed (and even this could be tricky).
>> FWIW, I think step 5  is buggy and needs a rewrite (I've 
>added another 
>> issue to the spec stating as such). I'll need to work with 
>you to fix 
>> it as we progress the Dig Sig spec.
>> [mp] I'll be available to work on this next week
>>> -----------------------------------------------
>>> Step 4 Locate Digital Signatures for the Widget
>>> I'm not sure whether the packaging and configuration 
>specification is 
>>> the correct place to do this but IMHO there needs to be a statement 
>>> that a files with a file name corresponding to the naming 
>>> for digital signatures are not accessible from the widget once the 
>>> widget is installed / instantiated. Failure to impose this 
>>> restriction
>>> will make it possible to include a signature and then reference it 
>>> from the signed code, which presents a security hole.
>> Good point. This seems like something that needs to be in the yet to 
>> be written a widget runtime security spec.  I've added an issue note 
>> to the spec so we don't forget about this.
>> Just out of interest, can you present the nature of the 
>security hole?
>> i.e., once an attacker has the signature, say, via an XSS 
>attack, what 
>> could they do with it?
>> [mp] The hole is that signature files are excluded from the 
>> of the signature values in any other signature files. This 
>means that 
>> if, for example, an attacker added to the widget resource a 
>> file containing some malicious content, the malicious 
>content of that 
>> file wouldn't be covered by any of the other signatures but 
>the widget 
>> user agent thinks the entire widget resource is signed. This could 
>> happen regardless of whether or not the signature file was actually 
>> valid, or was just named according to the convention for digital 
>> signature.
>> To be abused by an attacker it would either be necessary to inject a 
>> reference to the file into the widget, which might be 
>difficult, or to 
>> hijack an existing reference to a signature file by swapping the 
>> intended signature file for the attacker's signature file (with the 
>> same name). While this later attack depends on the author providing 
>> such a reference in their widget, there are two reasons why 
>the author 
>> may currently choose to do this - to get some information about the 
>> signature to display to the user, or possibly more likely, to get 
>> around the need to sign everything in their widget resource 
>(I thought 
>> of this as a way around signing everything so developers will too!).
>> It's not a big hole and the attacks require some "assistance" from 
>> developers, but unless there's a reason not to it should be pretty 
>> easy to close.
