Widget Signature Issue and Proposed Resolution from Frederick Hirsch on 2010-03-29 (public-webapps@w3.org from January to March 2010)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Mon, 29 Mar 2010 16:16:42 -0400
To: public-webapps WG <public-webapps@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Thomas Roessler <tlr@w3.org>, Arthur Barstow <art.barstow@nokia.com>
Message-Id: <39FC487C-CDE1-4589-999B-5E8F1E72063A@nokia.com>

ISSUE:  Widget Signature : Not specifying Canonicalization algorithm  
explicitly

Detail: The current Widget Signature specification does not allow the   
use of XML Signature Transforms, however the only means to explicitly  
specify the Canonicalization method to use  to use a transform (in  
XML  Signature 1.1 and earlier). Using the default may be  
problematical if  organizations are not able to confirm the default in  
use, or because a  different algorithm is required (for example with  
an Id on ds:Object   Canonical XML 1.1 should be used, but the default  
is Canonical XML  1.0)

PROPOSAL:

Disallow all Transforms except for a single canonicalization  
transform  that is required for every ds:Reference that needs XML  
content canonicalization.

Specifically, this would result in the following changes to the  
Widget  Signature specification  [1]:

(1) Normative change:

Section 7.1 Common Constraints for Signature Generation and Validation

Change 3c from "The ds:Reference MUST NOT have any ds:Transform   
elements." to

"The ds:Reference MUST NOT have any ds:Transform elements other than  
a  single Transform to specify the canonicalization method. A   
ds:Transform element specifying Canonicalization method  MUST be   
present when the ds:Reference is known to reference XML content.   
Canonical XML 1.1 MUST be specified as the Canonicalization   
Algorithm. For example, a ds:Transform specifying the canonicalization  
method is needed for the config.xml reference as well as the Object  
reference.

(2) Non-normative change:

1.4 Example

Add

<Transforms>  <Transform Algorithm="http://www.w3.org/2006/12/xml- 
c14n11"/></Transforms>
as the first child element of the following Reference elements in the   
example 1.4 (formatting appropriately and renumbering lines):
<Reference URI="config.xml">
<Reference URI="#prop">
----------

regards, Frederick

Frederick Hirsch
Nokia

[1] http://www.w3.org/TR/widgets-digsig/

Received on Monday, 29 March 2010 20:17:20 UTC