Specification: NIST IR 7802 - Trust Model for Security Automation Data (TMSAD) Version 1.0
Authors: Adam Halbardier, Harold Booth
Version: 1.0
Date: 2011-09-22
dsig:SignatureMethod SHOULD contain one of 'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256'
dsig:DigestMethod @Algorithm SHOULD contain one of 'http://www.w3.org/2001/04/xmlenc#sha256',
'http://www.w3.org/2001/04/xmldsig-more#sha384', 'http://www.w3.org/2001/04/xmlenc#sha512'
dsig:DigestMethod
@Algorithm SHOULD NOT contain 'http://www.w3.org/2000/09/xmldsig#sha1'
When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmlenc#sha256' then dsig:DigestValue MUST
be a 256 bit Base64 value
When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmldsig-more#sha384' then dsig:DigestValue
MUST be a 384 bit Base64 value
When dsig:DigestMethod @Algorithm equals 'http://www.w3.org/2001/04/xmlenc#sha512' then dsig:DigestValue MUST
be a 512 bit Base64 value
At least two references SHOULD be provided on
dsig:SignedInfo. One reference SHOULD be to the content being signed and the other reference SHOULD be to a
dsig:SignatureProperties
If more than one reference is supplied on dsig:SignedInfo, then at least one of the references SHOULD be to a
dsig:SignatureProperties
Every dsig:Manifest supplied on a signature MUST be referenced by a reference on the
dsig:SignedInfo
A dsig:SignatureProperties SHOULD
be included on a dsig:Signature
A dsig:SignatureProperties
SHOULD include a dsig:SignatureProperty that includes a tmsad:signature-info
If a reference points to a dsig:Object, the @Type MUST be populated on the reference with
'http://www.w3.org/2000/09/xmldsig#Object'
If a reference points to a dsig:Manifest, the @Type MUST be populated on the reference with
'http://www.w3.org/2000/09/xmldsig#Manifest'
If a reference points to a dsig:SignatureProperties, the @Type MUST be populated on the reference with
'http://www.w3.org/2000/09/xmldsig#SignatureProperties'
Only XPath Filter
2.0 XPath transforms SHOULD be used
Unnamed XSLT
transforms SHOULD be avoided
Canonical XML 1.1 transform SHOULD be used over Canonical XML 1.0