Define what should be done when a trusted application is being installed from a non-trusted source

[mounirlamouri]

(I believe we should make the app not trusted.)

[draggett]

On 09/04/13 13:47, Mounir Lamouri wrote:

(I believe we should make the app not trusted.)

That makes sense as a default, but what if the app is accompanied with a certificate acting as a credential from a trusted third party?

Perhaps the origin claimed by the app is trusted, e.g. a well known website with a solid gold reputation. In this case, we need a way to verify that the app was issued by that site and hasn't been tampered with.

Perhaps we have a certificate from a trusted authority attesting to the public key for the site in question? This would allow for an offline check if the app has been signed by the site. Otherwise, a dynamic check could be made with the site to verify that the app was created by that site and hasn't been tampered with.

The latter idea avoids a dependency on bona fide certificates, and reflects the common experience of sites whose certificates have expired or less common were self signed. Just how important this is isn't clear to me. Perhaps it is okay to require trusted sites to have bona fide certificates? Is there a way to get certificates for specific URIs rather than just for domains? If so, then this would enable developers to place their apps on trusted servers for which they don't have full administrative control.

The ability to install an app without being online would be useful for apps transferred by a USB stick in environments where Internet access is not practical for whatever reason.

Dave Raggett dsr@w3.org http://www.w3.org/People/Ragg

[jmajnert]

For hosted apps the issue seems to be simple: if we trust the entity that serves us the manifest, we trust the app itself. In that context I don't quite get it how a trusted app might be installed from an untrusted source. By my understanding the source of the installation is the place that hosts the manifest.

For packaged app OTOH, to solve this issue I think we should first define how an application is identified (issue https://github.com/sysapps/runtime/issues/99) and what makes an application "trusted". As @draggett noted above, if a packaged app contains a valid signature (something like http://www.w3.org/TR/widgets-digsig/) then I don't see any reason not to trust it even if it comes from a known evil site.