W3C home > Mailing lists > Public > public-xmlsec-maintwg@w3.org > April 2008

[fwd] [Widgets] Widget DigSig request for comments (from: marcosscaceres@gmail.com)

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 2 Apr 2008 11:12:46 +0200
To: public-xmlsec-maintwg@w3.org
Cc: marcosscaceres@gmail.com
Message-ID: <20080402091246.GQ150@iCoaster.does-not-exist.org>

Forwarding to the XML Security Specifications Maintenance WG.
-- 
Thomas Roessler, W3C  <tlr@w3.org>




----- Forwarded message from Marcos Caceres <marcosscaceres@gmail.com> -----

From: Marcos Caceres <marcosscaceres@gmail.com>
To: w3c-ietf-xmldsig@w3.org
Cc: "WAF WG (public)" <public-appformats@w3.org>
Date: Wed, 2 Apr 2008 14:32:16 +1000
Subject: [Widgets] Widget DigSig request for comments
List-Id: <public-appformats.w3.org>
X-Spam-Level: 
Archived-At: <http://www.w3.org/mid/b21a10670804012132o7b03b88o6848329a3ba7710c@mail.gmail.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.6


Hi members of the Digital Signature Working Group,
The Web Application Formats Working Group is currently trying to
define a "profile" of the XML dig sig spec to use with our Widgets
Specification[1], and we were hoping to get some initial feedback. The
specification we are working on is called Widgets 1.0: Digital
Signature. The latest editor's draft can be found at [2].

The idea is simple: leverage XML DigSig to digitally sign files inside
a zip archive.

The signature scheme we are trying to define imposes a number of
restrictions on the XML-Signature Syntax and Processing Specification:

   1. All resources must be treated as digital content (data objects)
and the signature must be included in a 'signature.xml' file.
   2. RSA-SHA1 is the only supported digest method.
   3. A KeyInfo element must be present and the digital certificate
format must conform to the X509 specification (other cert formats are
not supported).
   4. The XML signature file must be encoded as [UTF-8].
   5. SignatureProperties elements are ignored by the specification,
but they may be present in a signature document.

Does that sound reasonable?

We are also wondering if we need to define our own Transform
Algorithm, as the data may be transformed from Deflate compressed data
to an uncompressed representation before being signed? For example:

<Reference URI="index.html">
	<Transforms>
    	   <Transform Algorithm="http://www.w3.org/ns/widgets#digsig-deflate"/>
 	<Transforms>
	<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <DigestValue>lm...34=</DigestValue>
</Reference>

And lastly, is core validation performed by default when <reference>s
are included in a <manifest>? We obviously want the data of the files
of the data to be verified to make sure that none of the the files in
the Zip archive have been replaced.

Any comments/feedback would be greatly appreciated.

Kind regards,
Marcos

[1] http://dev.w3.org/2006/waf/widgets/
[2] http://dev.w3.org/2006/waf/widgets-digsig/
-- 
Marcos Caceres
http://datadriven.com.au



----- End forwarded message -----
Received on Wednesday, 2 April 2008 09:13:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:58:44 UTC