Skip to content
This repository has been archived by the owner on Oct 2, 2019. It is now read-only.

Define what should be done when a trusted application is being installed from a non-trusted source #46

Open
mounirlamouri opened this issue Apr 9, 2013 · 2 comments
Open

Define what should be done when a trusted application is being installed from a non-trusted source #46

mounirlamouri opened this issue Apr 9, 2013 · 2 comments

Comments

@mounirlamouri
Copy link
Contributor

(I believe we should make the app not trusted.)
@draggett
Copy link
Contributor

draggett commented Apr 9, 2013

On 09/04/13 13:47, Mounir Lamouri wrote:

(I believe we should make the app not trusted.)

That makes sense as a default, but what if the app is accompanied with a
certificate acting as a credential from a trusted third party?

Perhaps the origin claimed by the app is trusted, e.g. a well known
website with a solid gold reputation. In this case, we need a way to
verify that the app was issued by that site and hasn't been tampered with.

Perhaps we have a certificate from a trusted authority attesting to the
public key for the site in question? This would allow for an offline
check if the app has been signed by the site. Otherwise, a dynamic check
could be made with the site to verify that the app was created by that
site and hasn't been tampered with.

The latter idea avoids a dependency on bona fide certificates, and
reflects the common experience of sites whose certificates have expired
or less common were self signed. Just how important this is isn't clear
to me. Perhaps it is okay to require trusted sites to have bona fide
certificates? Is there a way to get certificates for specific URIs
rather than just for domains? If so, then this would enable developers
to place their apps on trusted servers for which they don't have full
administrative control.

The ability to install an app without being online would be useful for
apps transferred by a USB stick in environments where Internet access is
not practical for whatever reason.

Dave Raggett [email protected] http://www.w3.org/People/Ragg

@jmajnert
Copy link

jmajnert commented May 9, 2013

For hosted apps the issue seems to be simple: if we trust the entity that serves us the manifest, we trust the app itself. In that context I don't quite get it how a trusted app might be installed from an untrusted source. By my understanding the source of the installation is the place that hosts the manifest.

For packaged app OTOH, to solve this issue I think we should first define how an application is identified (issue #99) and what makes an application "trusted". As @draggett noted above, if a packaged app contains a valid signature (something like http://www.w3.org/TR/widgets-digsig/) then I don't see any reason not to trust it even if it comes from a known evil site.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mounirlamouri @draggett @jmajnert