Widget Signature Issue and Proposed Resolution

ISSUE:  Widget Signature : Not specifying Canonicalization algorithm  

Detail: The current Widget Signature specification does not allow the   
use of XML Signature Transforms, however the only means to explicitly  
specify the Canonicalization method to use  to use a transform (in  
XML  Signature 1.1 and earlier). Using the default may be  
problematical if  organizations are not able to confirm the default in  
use, or because a  different algorithm is required (for example with  
an Id on ds:Object   Canonical XML 1.1 should be used, but the default  
is Canonical XML  1.0)


Disallow all Transforms except for a single canonicalization  
transform  that is required for every ds:Reference that needs XML  
content canonicalization.

Specifically, this would result in the following changes to the  
Widget  Signature specification  [1]:

(1) Normative change:

Section 7.1 Common Constraints for Signature Generation and Validation

Change 3c from "The ds:Reference MUST NOT have any ds:Transform   
elements." to

"The ds:Reference MUST NOT have any ds:Transform elements other than  
a  single Transform to specify the canonicalization method. A   
ds:Transform element specifying Canonicalization method  MUST be   
present when the ds:Reference is known to reference XML content.   
Canonical XML 1.1 MUST be specified as the Canonicalization   
Algorithm. For example, a ds:Transform specifying the canonicalization  
method is needed for the config.xml reference as well as the Object  

(2) Non-normative change:

1.4 Example


<Transforms>  <Transform Algorithm="http://www.w3.org/2006/12/xml- 
as the first child element of the following Reference elements in the   
example 1.4 (formatting appropriately and renumbering lines):
<Reference URI="config.xml">
<Reference URI="#prop">

regards, Frederick

Frederick Hirsch

[1] http://www.w3.org/TR/widgets-digsig/

Received on Monday, 29 March 2010 20:17:20 UTC