ISSUE: Widget Signature : Not specifying Canonicalization algorithm
explicitly
Detail: The current Widget Signature specification does not allow the
use of XML Signature Transforms, however the only means to explicitly
specify the Canonicalization method to use to use a transform (in
XML Signature 1.1 and earlier). Using the default may be
problematical if organizations are not able to confirm the default in
use, or because a different algorithm is required (for example with
an Id on ds:Object Canonical XML 1.1 should be used, but the default
is Canonical XML 1.0)
PROPOSAL:
Disallow all Transforms except for a single canonicalization
transform that is required for every ds:Reference that needs XML
content canonicalization.
Specifically, this would result in the following changes to the
Widget Signature specification [1]:
(1) Normative change:
Section 7.1 Common Constraints for Signature Generation and Validation
Change 3c from "The ds:Reference MUST NOT have any ds:Transform
elements." to
"The ds:Reference MUST NOT have any ds:Transform elements other than
a single Transform to specify the canonicalization method. A
ds:Transform element specifying Canonicalization method MUST be
present when the ds:Reference is known to reference XML content.
Canonical XML 1.1 MUST be specified as the Canonicalization
Algorithm. For example, a ds:Transform specifying the canonicalization
method is needed for the config.xml reference as well as the Object
reference.
(2) Non-normative change:
1.4 Example
Add
<Transforms> <Transform Algorithm="http://www.w3.org/2006/12/xml-
c14n11"/></Transforms>
as the first child element of the following Reference elements in the
example 1.4 (formatting appropriately and renumbering lines):
<Reference URI="config.xml">
<Reference URI="#prop">
----------
regards, Frederick
Frederick Hirsch
Nokia
[1] http://www.w3.org/TR/widgets-digsig/