I suggest the following changes to the current Widget 1.0 Signatures
Editors Draft, after a quick look:
(1) Reference XML Signature 1.1 (which is currently under development
in XML Security WG). The reason is that this update to XML Signature
will include new algorithms such as SHA-256 etc, and define how they
are to be used in context of XML Signature, including processing rules
and security considerations specific to the algorithms etc.
No use in replicating this work in the Widgets Signature document.
(2) Signature Properties
Suggest the Widgets Signature spec reference the Signature Properties
draft produced in the XML Security WG [1], assuming that goes forward
appropriately. That draft can define the properties and their
processing rules in the context of XML Signature.
Proposed text for this section (with TBDs for URIs to be filled in
later):
"An XML Signature used for widget signing according to this
specification MUST contain the following Common Signature Properties,
as defined in the [ref-Signature-Properties]:
1. Profile property with URI attribute value of <dated widgets
signature recommendation uri>
2. Expires property
3. Role Property
The values of the role property are defined in this document as follows:
Author: URI TBD, the entity that wrote the software
Distributor: URI TBD, who provides the software for installation
Each of these properties MUST be included in a ds:Object element that
is included in the ds:Signature using a ds:Reference as outlined in
[ref-Signature-Properties].
(3) Remove second warning in second 6 (issue) since URI has been
corrected.
(4) Update procedure for verifying a widget signature to read as
follows, also change heading (this is just a rough outline to help us
get started):
Procedure for Widget Signature Validation
A Widget Signature MUST be validated according to Extended Core
Validation, as defined in [ref-signature-properties]. This includes
Core Validation as defined in XML Signature [ref-signature].
Note that signature verification requires successful Reference
validation for every Reference.
Widget Signature validation MAY include certificate chain validation,
as defined in PKIX [ref-pkix] for the certificate chain conveyed in
the Signature KeyInfo . Widget validation MAY also include CRL and/or
OCSP validation for any of these items conveyed in the Signature
KeyInfo.
If Widget Signature Validation fails for any reason the widget package
MUST NOT be installed.
The reason for validation failure MAY be returned, including reasons
related to Reference validation, Signature validation, SIgnature
Property validation and/or certificate and CRL/OCSP verification.
(Has the WG discussed the potential concern of device cost for
certificate chain and/or CRL/OCSP validation - is there one? Possibly
MAY for returning reasons since not all implementations may have
access to all information to return, if implemented using separate
libraries?)
regards, Frederick
Frederick Hirsch
Nokia
[1] http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0038.html
