[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [dss-x] Verification Reports
Hallo Frank, thank you very much for mail. Sorry, that my answer took that much time. > As part of an eID DSS implementation targeting the Belgian > eID card, available at: > http://code.google.com/p/eid-dss/ > I've implemented OASIS DSS core and the VR profile. I'm > looking for feedback on this to be sure that I've interpreted > the VR profile correctly. A protocol run by example is > available as part of the eID DSS developer's guide at: > > http://eid-dss.googlecode.com/files/eid-dss-dev-guide-15-09-2010.pdf > under section "3. OASIS DSS Web Service". So here are my questions: > Is it OK to use > vr:VerificationReport/vr:IndividualReport/vr:SignedObjectIdent > ifier/vr:SignedProperties/vr:SignedSignatureProperties/xades:S > igningTime to uniquely identify the signature? Yes. Using the xades:SigningTime-property to identify the signature is usually a good idea, as using this element as identifier is very natural for human consumers of a verification report. However if it can not be guaranteed that the signing time alone is sufficient to provide uniqueness, it is advisable to also use additional identifiers (e.g. DigestAlgAndValue, SignatureValue) to ensure the unique identification of signatures. > Is it OK to use > vr:VerificationReport/vr:IndividualReport/vr:Details/vr:Indivi > dualCertificateReport/vr:CertificateValue to get the signing > certificate? Concerning this question it is not entirely clear to me what you exactly mean by "to get the signing certificate". If you ask whether vr:VerificationReport/vr:IndividualReport/vr:Details/vr:IndividualCertificateReport is the "right place" to include the verification result for the "signing certificate" (in the sense of the SigningCertificate-property of a XAdES-signature according to Section 7.2.2 of http://uri.etsi.org/01903/v1.4.1/ts_101903v010401p.pdf), which may contain the certificate itself in the CertificateValue-element, then the answer is "no", because the verification result for a certificate on which an advanced electronic signature is based SHOULD be reported in the first vr:CertificateValidity-element within vr:DetailedSignatureReport/vr:CertificatePathValidity/vr:PathValidityDetail. The vr:IndividualCertificateReport-element is only meant to be used if a certificate is to be verified WITHOUT a specific signature-related context. As this point is not yet clearly specified in the current version of the profile, we will include a clarifying note as soon as possible. It would be great, if you could provide some more details about the second question. Best regards, Detlef > > Besides the VR profile implementation, section 2 of the same > developer's guide also highlights the implementation of an > "eID DSS Browser POST Protocol" for the creation of eID based > signatures that require interaction with the web browser of > the end-user. What I would like to do is to define a similar > Browser POST profile on top of the OASIS DSS core. So where > to get started? I just do some implementation, document it > and send it over for review? > > > Thanks in advance, > Frank. > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]