This document defines guidelines for signing SWID tags in support of the [SWID] standard. The standard states that when digitally signing SWID tags, implementors will follow at a minimum the [XMLDSIG] recommendations, use an enveloped signature, add a timestamp per [W3C-XAdES], and include the public signature for the signing entity.
This document details and builds on those requirements. The guidance drafted herein supports the security and reliability of tag signing. These guidelines are drafted with the needs of implementors in mind and to provide value for all members of the software eco-system (publishers, tools and service providers, and end-users).
The public review for the SWID Tag Signing Guidelines Paper opens on April 26, 2017, and will remain open until June 25, 2017.
Download the SWID Tag Signing Guidelines HERE.
Access the SWID Tag Signing Guidelines comments page HERE.
Alternatively, comments can be submitted as a .pdf to firstname.lastname@example.org. Please include your name, company, title, email address used to download the paper and follow the format below:
Step 1: Please specify the type of comment: GT = General Technical – the comment applies to may areas of the document
TH = Technical High – the comment is technical and is considered important
TL = Technical Low – the comment is technical in nature but is a lower priority
GE = General Editorial – the comment is editorial in nature and is seen throughout the document
E = Editorial – the comment is editorial and found in one location in the document
Step 2: Enter the Line #, Figure # or Table #
Step 3: Provide proposed new text
Step 4: Provide supporting reasons