Proposed changes to XML Security Requirements from Frederick Hirsch on 2009-10-16 (public-xmlsec@w3.org from October 2009)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 16 Oct 2009 14:01:47 +0200
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <154807FB-A457-454D-96E7-B8ABF6AFA59B@nokia.com>

I propose we make the following changes to the XML Security  
requirements document [1]:

1. Merge the Transform Simplification document [2] into the main use  
cases and requirements document. Update the simplification document to  
indicate that it has been merged into the use cases and requirements  
document. Merge abstract, references and acknowledgements sections.

I think this makes sense since it is logically part of the  
requirements document, this will reduce confusion and the number of  
documents.

2. Change the section title from "Transforms" to "Simplify processing  
model, reduce attack surface, and enable streaming".

2. Move the namespaces note in the transform note into the design  
section of that use case.

3. Change the title of the requirements document to "XML Security  
Requirements and Design"

4. Revise section 3 heading and introductory paragraph. Change to:

"Requirements and Design Options"

"This section outlines the motivation, requirements and design  
considerations for use cases and core aspects of XML Security  
specifications,"

(the text and bullet list before 3.1 in section 3 is removed and  
replaced with the above.)

The reason is that some of the cases are general considerations like  
security, while others are specific applications like web services  
security. Not all bullets in the original list have been covered.

5 Add a section, "Widget Security" with the following content:

Use Cases

Widgets may require signing for integrity protection and source  
authentication. This signing of a Widget package may be provided using  
XML Signature.

Requirements
Provide the ability to sign and verify a widget package using XML  
Signature. Enable the use of SHA-256 to  support sufficient security.  
Support the use of properties in a XML Signature, including  Profile,  
Role, and Identifier properties to enable interoperable interpretation  
of signatures. See the Widget Signature specification for a summary of  
requirements [3].

Design
Define generic widget properties. See XML Signature Properties [4].  
(add reference to document)

6. Fix long line in example in 3.3.5.1, Create a ds:DerivedKey Type

Please indicate any concern with these changes to the list - I'd like  
to agree on them on 20 Oct call so that we can have an updated draft  
for the F2F.  At TPAC the WG can  agree to an updated publication of  
these documents.

what do you think?

regards, Frederick

Frederick Hirsch
Nokia


[1] http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html

[2] http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html

[3] http://dev.w3.org/2006/waf/widgets-digsig/

[4] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html

Received on Friday, 16 October 2009 12:03:07 UTC