W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2009

Fwd: Proposed changes to Widgets Signatures

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 8 Jan 2009 09:35:18 -0500
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <E23B93DD-A4B0-401E-8C4F-02005567CCBA@nokia.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>

fyi, suggestions welcome

draft at http://dev.w3.org/2006/waf/widgets-digsig/

regards, Frederick

Frederick Hirsch

Begin forwarded message:

> From: Frederick Hirsch <frederick.hirsch@nokia.com>
> Date: January 8, 2009 9:33:48 AM EST
> To: public-webapps <public-webapps@w3.org>
> Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
> Subject: Proposed changes to Widgets Signatures
> I suggest the following changes to the current Widget 1.0 Signatures  
> Editors Draft, after a quick look:
> (1) Reference XML Signature 1.1 (which is currently under  
> development in XML Security WG). The reason is that this update to  
> XML Signature will include new algorithms such as SHA-256 etc, and  
> define how they are to be used in context of XML Signature,  
> including processing rules and security considerations specific to  
> the algorithms etc.
> No use in replicating this work in the Widgets Signature document.
> (2) Signature Properties
> Suggest the Widgets Signature spec reference the Signature  
> Properties draft produced in the XML Security WG [1], assuming that  
> goes forward appropriately. That draft can define the properties and  
> their processing rules in the context of XML Signature.
> Proposed text for this section (with TBDs for URIs to be filled in  
> later):
> "An XML Signature used for widget signing according to this  
> specification MUST contain the following Common Signature  
> Properties, as defined in the [ref-Signature-Properties]:
> 1. Profile property with URI attribute value of <dated widgets  
> signature recommendation uri>
> 2. Expires property
> 3. Role Property
> The values of the role property are defined in this document as  
> follows:
> Author: URI TBD, the entity that wrote the software
> Distributor: URI TBD, who provides the software for installation
> Each of these properties MUST be included in a ds:Object element  
> that is included in the ds:Signature using a ds:Reference as  
> outlined in [ref-Signature-Properties].
> (3) Remove second warning in second 6 (issue) since URI has been  
> corrected.
> (4) Update procedure for verifying a widget signature to read as  
> follows, also change heading (this is just a rough outline to help  
> us get started):
> Procedure for Widget Signature Validation
> A Widget Signature MUST be validated according to Extended Core  
> Validation, as defined in [ref-signature-properties]. This includes  
> Core Validation as defined in XML Signature [ref-signature].
> Note that signature verification requires successful Reference  
> validation for every Reference.
> Widget Signature validation MAY include certificate chain  
> validation, as defined in PKIX [ref-pkix] for the certificate chain  
> conveyed in the Signature KeyInfo . Widget validation MAY also  
> include CRL and/or OCSP validation for any of these items conveyed  
> in the Signature KeyInfo.
> If Widget Signature Validation fails for any reason the widget  
> package MUST NOT be installed.
> The reason for validation failure MAY be returned, including reasons  
> related to Reference validation, Signature validation, SIgnature  
> Property validation and/or certificate and CRL/OCSP verification.
> (Has the WG discussed the potential concern of device cost for  
> certificate chain and/or CRL/OCSP validation - is there one?  
> Possibly MAY for returning reasons since not all implementations may  
> have access to all information to return, if implemented using  
> separate libraries?)
> regards, Frederick
> Frederick Hirsch
> Nokia
> [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html
Received on Thursday, 8 January 2009 14:36:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:10 UTC