W3C home > Mailing lists > Public > public-xmlsec@w3.org > January 2009

Fwd: Proposed changes to Widgets Signatures

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 8 Jan 2009 09:35:18 -0500
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <E23B93DD-A4B0-401E-8C4F-02005567CCBA@nokia.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>

fyi, suggestions welcome

draft at http://dev.w3.org/2006/waf/widgets-digsig/

regards, Frederick

Frederick Hirsch
Nokia



Begin forwarded message:

> From: Frederick Hirsch <frederick.hirsch@nokia.com>
> Date: January 8, 2009 9:33:48 AM EST
> To: public-webapps <public-webapps@w3.org>
> Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
> Subject: Proposed changes to Widgets Signatures
>
> I suggest the following changes to the current Widget 1.0 Signatures  
> Editors Draft, after a quick look:
>
> (1) Reference XML Signature 1.1 (which is currently under  
> development in XML Security WG). The reason is that this update to  
> XML Signature will include new algorithms such as SHA-256 etc, and  
> define how they are to be used in context of XML Signature,  
> including processing rules and security considerations specific to  
> the algorithms etc.
>
> No use in replicating this work in the Widgets Signature document.
>
> (2) Signature Properties
>
> Suggest the Widgets Signature spec reference the Signature  
> Properties draft produced in the XML Security WG [1], assuming that  
> goes forward appropriately. That draft can define the properties and  
> their processing rules in the context of XML Signature.
>
> Proposed text for this section (with TBDs for URIs to be filled in  
> later):
>
> "An XML Signature used for widget signing according to this  
> specification MUST contain the following Common Signature  
> Properties, as defined in the [ref-Signature-Properties]:
>
> 1. Profile property with URI attribute value of <dated widgets  
> signature recommendation uri>
>
> 2. Expires property
>
> 3. Role Property
>
> The values of the role property are defined in this document as  
> follows:
> Author: URI TBD, the entity that wrote the software
> Distributor: URI TBD, who provides the software for installation
>
> Each of these properties MUST be included in a ds:Object element  
> that is included in the ds:Signature using a ds:Reference as  
> outlined in [ref-Signature-Properties].
>
> (3) Remove second warning in second 6 (issue) since URI has been  
> corrected.
>
> (4) Update procedure for verifying a widget signature to read as  
> follows, also change heading (this is just a rough outline to help  
> us get started):
>
> Procedure for Widget Signature Validation
>
> A Widget Signature MUST be validated according to Extended Core  
> Validation, as defined in [ref-signature-properties]. This includes  
> Core Validation as defined in XML Signature [ref-signature].
>
> Note that signature verification requires successful Reference  
> validation for every Reference.
>
> Widget Signature validation MAY include certificate chain  
> validation, as defined in PKIX [ref-pkix] for the certificate chain  
> conveyed in the Signature KeyInfo . Widget validation MAY also  
> include CRL and/or OCSP validation for any of these items conveyed  
> in the Signature KeyInfo.
>
> If Widget Signature Validation fails for any reason the widget  
> package MUST NOT be installed.
>
> The reason for validation failure MAY be returned, including reasons  
> related to Reference validation, Signature validation, SIgnature  
> Property validation and/or certificate and CRL/OCSP verification.
>
> (Has the WG discussed the potential concern of device cost for  
> certificate chain and/or CRL/OCSP validation - is there one?  
> Possibly MAY for returning reasons since not all implementations may  
> have access to all information to return, if implemented using  
> separate libraries?)
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
> [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html
>
>
Received on Thursday, 8 January 2009 14:36:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT