I've just sent a complete draft of my proposal for digital signatures to Cherie. There are a few issues outstanding, some minor:
- I didn't know how to get the correct URN for the namespace when I defined 'xades' as a namespace in the table.
- There's no attempt to solve the signature-encryption conundrum. BTW, I have recently found NIST documents saying one should never have a clear-text signature of the clear-text of encrypted information. We also have a conflicting requirement that all the files be signed (which would include the manifest) and the need to alter the manifest to perform encryption using the current approach. It might be good to at least mention that once a file is signed, it cannot then be later encrypted using the technique defined in the standard.
- Apparently, Word, ODT files and revision tracking do not play nicely together. I didn't know the exact format for specifying the change, and it seemed like a revision-tracked copy would be helpful in reviewing a draft. I understand that this is a bit heretical in this particular context, but I saved them as .docx files to be able to send Cherie a draft. If someone would like to see the draft before Cherie turns it into a proper proposal, I'll be happy to forward the documents as-is to either individuals or the list.
A summary of the changes:
Part 1, section 3.16:
Modified to read:
An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package.
Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3.
A document signature shall be considered to be valid only if the "XML Digital Signature" contained in documentsignatures.xml is valid.
Document signatures shall contain a