August 22, 2017
This document defines guidelines for signing SWID tags in support of the [SWID] standard. The standard states that when digitally signing SWID tags, implementors will follow at a minimum the [XMLDSIG] recommendations, use an enveloped signature, add a timestamp per [W3C-XAdES], and include the public signature for the signing entity.
This document details and builds on those requirements. The guidance drafted herein supports the security and reliability of tag signing. These guidelines are drafted with the needs of implementors in mind and to provide value for all members of the software eco-system (publishers, tools and service providers, and end-users).
Download the document here