W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Proposed changes to Widgets Signatures

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 8 Jan 2009 09:33:48 -0500
Message-Id: <B6D3816F-101D-4AB2-A46E-3607F3A5F351@nokia.com>
To: public-webapps <public-webapps@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>

I suggest the following changes to the current Widget 1.0 Signatures  
Editors Draft, after a quick look:

(1) Reference XML Signature 1.1 (which is currently under development  
in XML Security WG). The reason is that this update to XML Signature  
will include new algorithms such as SHA-256 etc, and define how they  
are to be used in context of XML Signature, including processing rules  
and security considerations specific to the algorithms etc.

No use in replicating this work in the Widgets Signature document.

(2) Signature Properties

Suggest the Widgets Signature spec reference the Signature Properties  
draft produced in the XML Security WG [1], assuming that goes forward  
appropriately. That draft can define the properties and their  
processing rules in the context of XML Signature.

Proposed text for this section (with TBDs for URIs to be filled in  
later):

"An XML Signature used for widget signing according to this  
specification MUST contain the following Common Signature Properties,  
as defined in the [ref-Signature-Properties]:

1. Profile property with URI attribute value of <dated widgets  
signature recommendation uri>

2. Expires property

3. Role Property

The values of the role property are defined in this document as follows:
Author: URI TBD, the entity that wrote the software
Distributor: URI TBD, who provides the software for installation

Each of these properties MUST be included in a ds:Object element that  
is included in the ds:Signature using a ds:Reference as outlined in  
[ref-Signature-Properties].

(3) Remove second warning in second 6 (issue) since URI has been  
corrected.

(4) Update procedure for verifying a widget signature to read as  
follows, also change heading (this is just a rough outline to help us  
get started):

Procedure for Widget Signature Validation

A Widget Signature MUST be validated according to Extended Core  
Validation, as defined in [ref-signature-properties]. This includes  
Core Validation as defined in XML Signature [ref-signature].

Note that signature verification requires successful Reference  
validation for every Reference.

Widget Signature validation MAY include certificate chain validation,  
as defined in PKIX [ref-pkix] for the certificate chain conveyed in  
the Signature KeyInfo . Widget validation MAY also include CRL and/or  
OCSP validation for any of these items conveyed in the Signature  
KeyInfo.

If Widget Signature Validation fails for any reason the widget package  
MUST NOT be installed.

The reason for validation failure MAY be returned, including reasons  
related to Reference validation, Signature validation, SIgnature  
Property validation and/or certificate and CRL/OCSP verification.

(Has the WG discussed the potential concern of device cost for  
certificate chain and/or CRL/OCSP validation - is there one? Possibly  
MAY for returning reasons since not all implementations may have  
access to all information to return, if implemented using separate  
libraries?)

regards, Frederick

Frederick Hirsch
Nokia

[1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html
Received on Thursday, 8 January 2009 14:34:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT