Re: [dss-x] Verification Reports

[Frank Cornelis <frank.cornelis@fedict.be>]

Hi Juan Carlos,


AFAIK the DSS Core specification has been designed to work with systems 
where the signing keys are centralized. What I'm looking for is a DSS 
protocol for "decentralized key management system", like for example the 
Belgian eID card. In this design each user has its own PKI token (eID 
card, eToken, whatever). To ease integration of digital signatures 
within web sites of Relying Parties, I've introduced an eID DSS service 
that knows how to handle the low-level communication with the eID card, 
and knows about XAdES and all different document formats.

Thus the idea is to have a secured protocol between Relying Parties and 
a DSS web portal to be able to sign document, similar to the SAML 
Browser POST protocol (but instead for authentication, for signing 
purposes). The protocol flow should go as follows:
- the User Agent (web browser) visits the RP web site
- the RP internally constructs some document as part of its implemented 
business process
- the RP sends the document to the DSS via some Browser POST based DSS 
protocol
- the DSS aids the signing process of the document received from the RP 
(requires Browser user interaction to insert eID card etc.)
- the DSS sends back the signed document to the RP, again using a 
Browser POST
See also slide 21 of:
http://eid-applet.googlecode.com/files/eid-integration.pdf

AFAIK the HTTP POST Transport Binding of DSS Core cannot be used as is 
for this purpose (offers no message-level security). So I would need a 
Browser POST Profile on top of DSS core (similar to the SAML Browser 
POST profile in the context of authentication).


Kind Regards,
Frank.

On 10/10/2010 09:15 PM, Juan Carlos Cruellas wrote:
> Dear Frank,
>
> Thank you very much for your message. The DSS-X TC is currently
> producing suitable answers to your first two questions. As for the last
> one, dealing with the possibility of specifying a "Browser POST profile
> on top of the OASIS DSS core", the TC agreed in its last meeting to ask
> your views on how this proposal would relate to the transport binding
> 6.1 HTTP POST Transport Binding of DSS Core?
>
> Best regards
>
> Juan Carlos
> El 16/09/2010 9:31, Cornelis Frank escribió:
>> Hi,
>>
>>
>> As part of an eID DSS implementation targeting the Belgian eID card, available at:
>>       http://code.google.com/p/eid-dss/
>> I've implemented OASIS DSS core and the VR profile. I'm looking for feedback on this to be sure that I've interpreted the VR profile correctly. A protocol run by example is available as part of the eID DSS developer's guide at:
>>       http://eid-dss.googlecode.com/files/eid-dss-dev-guide-15-09-2010.pdf
>> under section "3. OASIS DSS Web Service". So here are my questions:
>> Is it OK to use vr:VerificationReport/vr:IndividualReport/vr:SignedObjectIdentifier/vr:SignedProperties/vr:SignedSignatureProperties/xades:SigningTime to uniquely identify the signature?
>> Is it OK to use vr:VerificationReport/vr:IndividualReport/vr:Details/vr:IndividualCertificateReport/vr:CertificateValue to get the signing certificate?
>>
>> Besides the VR profile implementation, section 2 of the same developer's guide also highlights the implementation of an "eID DSS Browser POST Protocol" for the creation of eID based signatures that require interaction with the web browser of the end-user. What I would like to do is to define a similar Browser POST profile on top of the OASIS DSS core. So where to get started? I just do some implementation, document it and send it over for review?
>>
>>
>> Thanks in advance,
>> Frank.
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>