Cryptographic signing of STIX documents

[johnwunder]

The community would like to have a way of digitally signing STIX content. Potential decisions include:

• What needs to be signable? The whole document? Specific pieces?
• Does the signature need to be in the STIX document or can it be separate?
• What actual mechanism should we use? Does it work across XML and other serializations?

[MarkDavidson]

TAXII uses the XML Digital Signature specification for signing part (or all) of a TAXII message. This may be a useful starting point: http://taxii.mitre.org/specifications/version1.1/TAXII_XMLMessageBinding_Specification.pdf

See sections 3.1 (for how it is done at the message level - all messages do it this way) and 3.9 for how it is done in a Content Block.

[athiasjerome]

XMLDSig is also what is used in OVAL reporting (for examples of implementation)