- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Thu, 8 Jan 2009 09:33:48 -0500
- To: public-webapps <public-webapps@w3.org>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
I suggest the following changes to the current Widget 1.0 Signatures Editors Draft, after a quick look: (1) Reference XML Signature 1.1 (which is currently under development in XML Security WG). The reason is that this update to XML Signature will include new algorithms such as SHA-256 etc, and define how they are to be used in context of XML Signature, including processing rules and security considerations specific to the algorithms etc. No use in replicating this work in the Widgets Signature document. (2) Signature Properties Suggest the Widgets Signature spec reference the Signature Properties draft produced in the XML Security WG [1], assuming that goes forward appropriately. That draft can define the properties and their processing rules in the context of XML Signature. Proposed text for this section (with TBDs for URIs to be filled in later): "An XML Signature used for widget signing according to this specification MUST contain the following Common Signature Properties, as defined in the [ref-Signature-Properties]: 1. Profile property with URI attribute value of <dated widgets signature recommendation uri> 2. Expires property 3. Role Property The values of the role property are defined in this document as follows: Author: URI TBD, the entity that wrote the software Distributor: URI TBD, who provides the software for installation Each of these properties MUST be included in a ds:Object element that is included in the ds:Signature using a ds:Reference as outlined in [ref-Signature-Properties]. (3) Remove second warning in second 6 (issue) since URI has been corrected. (4) Update procedure for verifying a widget signature to read as follows, also change heading (this is just a rough outline to help us get started): Procedure for Widget Signature Validation A Widget Signature MUST be validated according to Extended Core Validation, as defined in [ref-signature-properties]. This includes Core Validation as defined in XML Signature [ref-signature]. Note that signature verification requires successful Reference validation for every Reference. Widget Signature validation MAY include certificate chain validation, as defined in PKIX [ref-pkix] for the certificate chain conveyed in the Signature KeyInfo . Widget validation MAY also include CRL and/or OCSP validation for any of these items conveyed in the Signature KeyInfo. If Widget Signature Validation fails for any reason the widget package MUST NOT be installed. The reason for validation failure MAY be returned, including reasons related to Reference validation, Signature validation, SIgnature Property validation and/or certificate and CRL/OCSP verification. (Has the WG discussed the potential concern of device cost for certificate chain and/or CRL/OCSP validation - is there one? Possibly MAY for returning reasons since not all implementations may have access to all information to return, if implemented using separate libraries?) regards, Frederick Frederick Hirsch Nokia [1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html
Received on Thursday, 8 January 2009 14:34:36 UTC