[Widgets] Widget DigSig request for comments from Marcos Caceres on 2008-04-02 (public-appformats@w3.org from April 2008)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Wed, 2 Apr 2008 14:32:16 +1000
To: w3c-ietf-xmldsig@w3.org
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <b21a10670804012132o7b03b88o6848329a3ba7710c@mail.gmail.com>

Hi members of the Digital Signature Working Group,
The Web Application Formats Working Group is currently trying to
define a "profile" of the XML dig sig spec to use with our Widgets
Specification[1], and we were hoping to get some initial feedback. The
specification we are working on is called Widgets 1.0: Digital
Signature. The latest editor's draft can be found at [2].

The idea is simple: leverage XML DigSig to digitally sign files inside
a zip archive.

The signature scheme we are trying to define imposes a number of
restrictions on the XML-Signature Syntax and Processing Specification:

   1. All resources must be treated as digital content (data objects)
and the signature must be included in a 'signature.xml' file.
   2. RSA-SHA1 is the only supported digest method.
   3. A KeyInfo element must be present and the digital certificate
format must conform to the X509 specification (other cert formats are
not supported).
   4. The XML signature file must be encoded as [UTF-8].
   5. SignatureProperties elements are ignored by the specification,
but they may be present in a signature document.

Does that sound reasonable?

We are also wondering if we need to define our own Transform
Algorithm, as the data may be transformed from Deflate compressed data
to an uncompressed representation before being signed? For example:

<Reference URI="index.html">
	<Transforms>
    	   <Transform Algorithm="http://www.w3.org/ns/widgets#digsig-deflate"/>
 	<Transforms>
	<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <DigestValue>lm...34=</DigestValue>
</Reference>

And lastly, is core validation performed by default when <reference>s
are included in a <manifest>? We obviously want the data of the files
of the data to be verified to make sure that none of the the files in
the Zip archive have been replaced.

Any comments/feedback would be greatly appreciated.

Kind regards,
Marcos

[1] http://dev.w3.org/2006/waf/widgets/
[2] http://dev.w3.org/2006/waf/widgets-digsig/
-- 
Marcos Caceres
http://datadriven.com.au

Received on Wednesday, 2 April 2008 04:32:53 UTC