Specification: NIST IR 7802 - Trust Model for Security Automation Data (TMSAD) Version 1.0 Authors: Adam Halbardier, Harold Booth Version: 1.0 Date: 2011-09-22 dsig:SignatureMethod SHOULD contain one of 'http://www.w3.org/2000/09/xmldsig#dsa-sha1', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', 'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256' dsig:DigestMethod @Algorithm SHOULD contain one of 'http://www.w3.org/2001/04/xmlenc#sha256', 'http://www.w3.org/2001/04/xmldsig-more#sha384', 'http://www.w3.org/2001/04/xmlenc#sha512' dsig:DigestMethod @Algorithm SHOULD NOT contain 'http://www.w3.org/2000/09/xmldsig#sha1' When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmlenc#sha256' then dsig:DigestValue MUST be a 256 bit Base64 value When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmldsig-more#sha384' then dsig:DigestValue MUST be a 384 bit Base64 value When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmlenc#sha512' then dsig:DigestValue MUST be a 512 bit Base64 value At least two references SHOULD be provided on dsig:SignedInfo. One reference SHOULD be to the content being signed and the other reference SHOULD be to a dsig:SignatureProperties If more than one reference is supplied on dsig:SignedInfo, then at least one of the references SHOULD be to a dsig:SignatureProperties Every dsig:Manifest supplied on a signature MUST be referenced by a reference on the dsig:SignedInfo A dsig:SignatureProperties SHOULD be included on a dsig:Signature A dsig:SignatureProperties SHOULD include a dsig:SignatureProperty that includes a tmsad:signature-info If a reference points to a dsig:Object, the @Type MUST be populated on the reference with 'http://www.w3.org/2000/09/xmldsig#Object' If a reference points to a dsig:Manifest, the @Type MUST be populated on the reference with 'http://www.w3.org/2000/09/xmldsig#Manifest' If a reference points to a dsig:SignatureProperties, the @Type MUST be populated on the reference with 'http://www.w3.org/2000/09/xmldsig#SignatureProperties' Only XPath Filter 2.0 XPath transforms SHOULD be used Unnamed XSLT transforms SHOULD be avoided Canonical XML 1.1 transform SHOULD be used over Canonical XML 1.0