Questions regarding to "Test Suite for the XML Digital Signatures For Widgets Specification " from Andrey Nazarov on 2011-01-27 (public-webapps@w3.org from January to March 2011)

From: Andrey Nazarov <Andrey.Nazarov@oracle.com>
Date: Thu, 27 Jan 2011 20:12:28 +0300
To: public-webapps@w3.org
Message-ID: <4D41A77C.1040605@oracle.com>

Hello All,
I hope it is right place to ask about Test Suite for the XML Digital Signatures
For Widgets Specification.
If not, where is better?

I. Test 19rsa.wgt.

I found that the author-signature.xml and signature1.xml files were corrected
today (27-Jan-2011).
It seems to me that this correction broken correspondence betwee specification
and test.

Why values of the "CanonicalizationMethod Algorithm" attribute of SignedInfo and
"Transform Algorithm" attribute of Reference were changed to the same value
http://www.w3.org/TR/2001/REC-xml-c14n-20010315?

The specification document "Digital Signatures for Widgets W3C Candidate
Recommendation 24 June 2010"
(http://www.w3.org/TR/widgets-digsig/#xmldsig11)
has the following sentences:

1. The following canonicalization algorithms /MUST/ be supported by an
implementation <http://dev.w3.org/2006/waf/widgets-digsig/#implementation>:
Exclusive XML Canonicalization 1.0 (omits comments) [XML-exc-C14N]
<http://dev.w3.org/2006/waf/widgets-digsig/#xml-exc-c14n>:|http://www.w3.org/2001/10/xml-exc-c14n#|
(see chapter8.3. Canonicalization Algorithms)
I think it means that the "CanonicalizationMethod Algorithm" attribute of
SignedInfo must be |http://www.w3.org/2001/10/xml-exc-c14n#

2. |A |ds:Reference| to same-document XML content /MUST/ have a |ds:Transform|
element child that specifies the canonicalization method. Canonical XML 1.1
/MUST/ be specified as the Canonicalization Algorithm for this transform.
(see chapter9.2. Common Constraints for Signature Generation and Validation)
I think it means that the "Transform Algorithm" attribute of ds:Transform must
be http://www.w3.org/2006/12/xml-c14n11.

||3. An implementation /SHOULD/ be able to process a |ds:Reference| to
same-document XML content when that |ds:Reference| does not have a
|ds:Transform| child element, for backward compatibility. In this case the
default canonicalization algorithm Canonical XML 1.0 will be used.
(see chapter9.2. Common Constraints for Signature Generation and Validation)
I think only for this case could be used the
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315" URI.

Why this correction was done?

II. Test 19dsa.wgt.
Could somebody confirm that this test is correct?
The deal is when I look on the certificate that is used for this test I see
that it contain information about DSA Public Key, but the Signature Algorithm
for this certificate is pointed as SHA1withRSA. Is it correct?

Thank you in advance,
Andrey

Received on Thursday, 27 January 2011 18:08:33 UTC