AW: [dss-x] Verification Reports

["Huehnlein, Detlef" <Detlef.Huehnlein@secunet.com>]

Hallo DSS-X-Team,

as discussed in our last meeting, you will find a draft 
of an answer for Frank Cornelis below. As I will NOT be
able to attend our meeting today, you may finally edit the answer
and send it to Frank. 

Best regards,
   Detlef 

------

Dear Frank,

thank you very much for your mail. 
 
> As part of an eID DSS implementation targeting the Belgian 
> eID card, available at:
>     http://code.google.com/p/eid-dss/
> I've implemented OASIS DSS core and the VR profile. I'm 
> looking for feedback on this to be sure that I've interpreted 
> the VR profile correctly. A protocol run by example is 
> available as part of the eID DSS developer's guide at:
>     
> http://eid-dss.googlecode.com/files/eid-dss-dev-guide-15-09-2010.pdf
> under section "3. OASIS DSS Web Service". So here are my questions:
> Is it OK to use 
> vr:VerificationReport/vr:IndividualReport/vr:SignedObjectIdent
> ifier/vr:SignedProperties/vr:SignedSignatureProperties/xades:S
> igningTime to uniquely identify the signature?

Yes. Using the xades:SigningTime-property to identify the signature is usually 
a good idea, as using this element as identifier is very natural for human 
consumers of a verification report. However if it can not be guaranteed that
the signing time alone is sufficient to provide uniqueness, it is advisable to 
also use additional identifiers to ensure unique identification of signatures. 

> Is it OK to use 
> vr:VerificationReport/vr:IndividualReport/vr:Details/vr:Indivi
> dualCertificateReport/vr:CertificateValue to get the signing 
> certificate?

No. The validity of the signing certificate should be reported 
in the first vr:CertificateValidity-element within vr:DetailedSignatureReport/vr:CertificatePathValidity/vr:PathValidityDetail.
The vr:IndividualCertificateReport-element is only meant to be used
if a certificate is to be verified without a specific signature-related context.

---