When creating SWID tags, there are many issues to be concerned about. Some of the basics are to do with the XML structure itself – is the SWID tag a well formed and valid XML file. Further, if the SWID tag is digitally signed, does the signature meet FIPS 800-131 requirements for digital signature strength? Is there enough information provided to ensure the signature is a persistent signature?
For most organizations, digitally signing data provides more than enough complications. Add in the fact that SWID tag consumers and all organizations that use SWID tag data benefit greatly from consistency and normalization of enumerated data values as well as consistent use of registered names and values and the authoritative nature of digitally signed SWID tags and you have a potentially much more complicated system to manage.
TagVault.org Provides Solutions
TagVault.org provides tools and processes that make these processes easy, inexpensive and integrated into existing processes for any tag producer environment.
These tools are available for use by TagVault.org contributing members. Join TagVault.org now to access these tools as well and the source code.
GUI Tag Creation & Signing
For those organizations just starting to work with SWID tags, TagVault.org provides a GUI version of the tag creation and signing tool that can be used on multiple platforms (Linux, Mac and Windows have been tested). This utility provides an easy to use, guided interface to creating the first SWID tags your organization will need.
This utility ensures that all SWID tags created are well-formed and valid XML and will also validate that data values meet the standards defined data restrictions (such as the structure of a regid value). This utility will also allow organizations to utilize digital signatures stored in a Java keystore to digitally sign their validated tags. Finally, the GUI version of the tool provides support for authoritatively time-stamped signatures that ensure a signed SWID tag will be persistent.
Command line Tag Validation and Signing
Once an organization has created their initial SWID tags, a template will be formed. These templates are then typically populated automatically by build tools removing extra decision points from a developers checklist. The command line version of the TagVault.org tool can then be incorporated right into the development process to ensure all data values that need to be normalized and/or need to match a specified value are specified properly.
This utility integrates into a build environment, does all processing locally and uses the SWID tag producers certificate that may be stored in a Java Keystore, a Windows Keystore (user or system) or a PFX files (also referred to as a PKCS #12 file).
When integrated properly, the only inputs required are likely to be the passwords required to access the digital certificate used to sign the SWID tag.