Modified: DSS-X Conference Call 168+

[OASIS Open<workgroup_mailer@lists.oasis-open.org>]

        Submitter's message
        Updated agenda with input from Andreas on core.
        
-- Mr. Stefan Hagen

Event Title: DSS-X Conference Call 168+

---

Date: Monday, 31 October 2016, 06:00pm to 07:00pm CET
Description

Call will be established by co-chairs through skype.
If participating for the first time, please send skype id to co-chairs by private e-mail.
Note: Due to partial non-accessibility of skype-chat-service:
Please use our alternate chat room at http://webconf.soaphub.org/conf/room/dss-x

This meeting counts towards voter eligibility.

---

Agenda

1. Welcome by the chair (Juan Carlos Cruellas)

2. Minutes taker
All write into the chat, Stefan assembles and uploads into document area.

3. Roll call

4. Approval of the agenda

5. Approval of minutes from previous calls
 

5.1 Meeting minutes of #168 on 2016-OCT-17

URL="">

 

6. Core and Profile Maintenance

6.1 Local Signature Profile

6.2 Profile for Comprehensive Multi-Signature Verification Reports

6.2.1 Open Action Items from Previous Call(s)

AP on AK to contact Detlev for reminding him to submit modified version of this profile.

6.3 Core

6.3.1 Open Action Items from Previous Call(s)

AP => All members will review the change and errata document provided in Documents/Core and propose any additions that 
      needs consideration.

Input from Andreas (https://www.oasis-open.org/apps/org/workgroup/dss-x/email/archives/201610/msg00016.html):

comments on the Errata document. 

The first two sections are agreed upon, I assume.

Section 3.1.1:

I'm not sure that I get the problem right. The @URIs of the
ds:References correlate to the RefURI of the input documents. Multiple
input documents result in a set of ds:References.

Section 4.1.1:

A bit too tricky for the core I would guess. The request is plausible
but I may introduce complexity I would like to be addressed in a
specific profile, not in the core. Probably it wouldn't be sufficient to
require one element to be present but a set of elements. Or an
alternative set of elements ... and the generic 'MgmtData' will need
special care to be taken! And we would need to define some type of error
response. I would prefer to keep it off the core.

Section 4.2.1:

I don't want to import with this design flaw into the core! It's so PDF
specific, keep it e.g. in the PAdES profile.

Section 4.3.1:

Dtmo the selection of a key of set of keys should be defined by the
usage context of the DSS endpoint. This may be done by the user but in a
user friendly manner. The KeyInfo structure is not fit for this.

A response set will become invalid in an undetermined period of time (
e.g. by key expiry, key renewal). Introducing additional complexities on
the user side.

The enumeration of available keys is critical from the security point of
view.

Moreover the management of the available keys is the primary duty of a
signing server. But this is already weakened by the KeySelector. What
should be filled in here when we don't tell which keys are available? My
proposal would be: drop both, this enumeration request and the KeySelector.

Section 5.1:

Already fixed, I assume.

Section 5.2:

The Verification profile is already dealing with both versions of SAML.
This could be applied to the core, too. ut my recommendation would be:
Uswe SAML 2.0 only!

And additional remarks on Core from Andreas (https://www.oasis-open.org/apps/org/workgroup/dss-x/email/archives/201610/msg00017.html):

I would like to propose some additional changes to the core once we are going to touch it:

1. Each request may be attributed with a set of profiles. Therefore drop the profile attributes from RequestBaseType and ResponseBaseType. Introduce a set of 'AppliedProfile' items to OptionalOutputs.
2. Each request may be attributes with a set of policies. The section regarding 'ServicePolicy' does not explicitly state the option for multiple policies. Introduce a set of 'AppliedPolicy' items to OptionalOutputs.
3. Streamline the core by dropping EscapedXML and InlineXML.
4. Consider replacing dss:AnyType by xades:AnyType. The slightly different structures with same name cause irritations.
5. Clearify the cardinality and the intentions of the optional elements by enumerating them in OptionalInputs and  OptionalOutputs explicitly.
6. Give a the specific type 'xs:boolean' to the flag-type OptionalInputs 'Return*' elements.

7. New Profile Candidates

7.1 PAdES

7.1.1 Open Action Items from Previous Call(s)

7.1.2 Review of Changes in Document / Discussion

7.2 Server Site Profile for JEE Code Signing

7.2.1 Open Action Items from Previous Call(s)

7.2.2 Review of Changes in Document / Discussion

8. AOB

9. Next meetinga 

9.1 Next meeting

Suggested is 2016-NOV-14

Registration Meeting #170:
URL="">

9.2 Further upcoming Meetings

* 2016-NOV-28 (#171)
  URL="">

* 2016-DEC-12 (#172)
  URL="">

* Winter-Break

 

---

Owner: Mr. Stefan Hagen
Group: OASIS Digital Signature Services eXtended (DSS-X) TC
Sharing: This event is shared with the OASIS Open (General Membership), and General Public groups. Public Event Link

• Learn more about subscribing here.
• View the OASIS Digital Signature Services eXtended (DSS-X) TC calendar here.
• You may receive future notifications with updates to this event. Update the event on your calendar by accepting the changes.

Attachment: ical_43618.ics
Description: application/ics

BEGIN:VCALENDAR
CALSCALE:GREGORIAN
METHOD:REQUEST
VERSION:2.0
PRODID:-//Kavi Corporation//NONSGML Kavi Groups//EN
X-MS-OLK-FORCEINSPECTOROPEN:TRUE
BEGIN:VTIMEZONE
TZID:Europe/Paris
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T020000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
STATUS:CONFIRMED
TRANSP:OPAQUE
DTSTAMP:20161031T165148Z
DTSTART;VALUE=DATE-TIME;TZID=Europe/Paris:20161031T180000
DTEND;VALUE=DATE-TIME;TZID=Europe/Paris:20161031T190000
SEQUENCE:3
SUMMARY:DSS-X Conference Call 168+
LAST-MODIFIED:20161031T165148Z
ORGANIZER:workgroup_mailer@lists.oasis-open.org
DESCRIPTION:Call will be established by co-chairs through skype.\nIf par
 ticipating for the first time\, please send skype id to co-c
 hairs by private e-mail.\nNote: Due to partial non-accessibi
 lity of skype-chat-service:\nPlease use our alternate chat r
 oom at http://webconf.soaphub.org/conf/room/dss-x\n\nAgenda:
  1. Welcome by the chair (Juan Carlos Cruellas)\n\n2. Minute
 s taker\nAll write into the chat\, Stefan assembles and uplo
 ads into document area.\n\n3. Roll call\n\n4. Approval of th
 e agenda\n\n5. Approval of minutes from previous calls\n \n\
 n5.1 Meeting minutes of #168 on 2016-OCT-17\n\nURL=https://w
 ww.oasis-open.org/committees/download.php/59153/dssx-168-dra
 ft-minutes-shagen-20161017.txt\n\n \n\n6. Core and Profile M
 aintenance\n\n6.1 Local Signature Profile\n\n6.2 Profile for
  Comprehensive Multi-Signature Verification Reports\n\n6.2.1
  Open Action Items from Previous Call(s)\n\nAP on AK to cont
 act Detlev for reminding him to submit modified version of t
 his profile.\n\n6.3 Core\n\n6.3.1 Open Action Items from Pre
 vious Call(s)\n\nAP =&gt\; All members will review the chang
 e and errata document provided in Documents/Core and propose
  any additions that \n      needs consideration.\n\nInput fr
 om Andreas (https://www.oasis-open.org/apps/org/workgroup/ds
 s-x/email/archives/201610/msg00016.html):\n\ncomments on the
  Errata document. \n\nThe first two sections are agreed upon
 \, I assume.\n\nSection 3.1.1:\n\nI&#39\;m not sure that I g
 et the problem right. The @URIs of the\nds:References correl
 ate to the RefURI of the input documents. Multiple\ninput do
 cuments result in a set of ds:References.\n\nSection 4.1.1:\
 n\nA bit too tricky for the core I would guess. The request 
 is plausible\nbut I may introduce complexity I would like to
  be addressed in a\nspecific profile\, not in the core. Prob
 ably it wouldn&#39\;t be sufficient to\nrequire one element 
 to be present but a set of elements. Or an\nalternative set 
 of elements ... and the generic &#39\;MgmtData&#39\; will ne
 ed\nspecial care to be taken! And we would need to define so
 me type of error\nresponse. I would prefer to keep it off th
 e core.\n\nSection 4.2.1:\n\nI don&#39\;t want to import wit
 h this design flaw into the core! It&#39\;s so PDF\nspecific
 \, keep it e.g. in the PAdES profile.\n\nSection 4.3.1:\n\nD
 tmo the selection of a key of set of keys should be defined 
 by the\nusage context of the DSS endpoint. This may be done 
 by the user but in a\nuser friendly manner. The KeyInfo stru
 cture is not fit for this.\n\nA response set will become inv
 alid in an undetermined period of time (\ne.g. by key expiry
 \, key renewal). Introducing additional complexities on\nthe
  user side.\n\nThe enumeration of available keys is critical
  from the security point of\nview.\n\nMoreover the managemen
 t of the available keys is the primary duty of a\nsigning se
 rver. But this is already weakened by the KeySelector. What\
 nshould be filled in here when we don&#39\;t tell which keys
  are available? My\nproposal would be: drop both\, this enum
 eration request and the KeySelector.\n\nSection 5.1:\n\nAlre
 ady fixed\, I assume.\n\nSection 5.2:\n\nThe Verification pr
 ofile is already dealing with both versions of SAML.\nThis c
 ould be applied to the core\, too. ut my recommendation woul
 d be:\nUswe SAML 2.0 only!\n\nAnd additional remarks on Core
  from Andreas (https://www.oasis-open.org/apps/org/workgroup
 /dss-x/email/archives/201610/msg00017.html):\n\nI would like
  to propose some additional changes to the core once we are 
 going to touch it:\n\n1. Each request may be attributed with
  a set of profiles. Therefore drop the profile attributes fr
 om RequestBaseType and ResponseBaseType. Introduce a set of 
 &#39\;AppliedProfile&#39\; items to OptionalOutputs.\n2. Eac
 h request may be attributes with a set of policies. The sect
 ion regarding &#39\;ServicePolicy&#39\; does not explicitly 
 state the option for multiple policies. Introduce a set of &
 #39\;AppliedPolicy&#39\; items to OptionalOutputs.\n3. Strea
 mline the core by dropping EscapedXML and InlineXML.\n4. Con
 sider replacing dss:AnyType by xades:AnyType. The slightly d
 ifferent structures with same name cause irritations.\n5. Cl
 earify the cardinality and the intentions of the optional el
 ements by enumerating them in OptionalInputs and  OptionalOu
 tputs explicitly.\n6. Give a the specific type &#39\;xs:bool
 ean&#39\; to the flag-type OptionalInputs &#39\;Return*&#39\
 ; elements.\n\n7. New Profile Candidates\n\n7.1 PAdES\n\n7.1
 .1 Open Action Items from Previous Call(s)\n\n7.1.2 Review o
 f Changes in Document / Discussion\n\n7.2 Server Site Profil
 e for JEE Code Signing\n\n7.2.1 Open Action Items from Previ
 ous Call(s)\n\n7.2.2 Review of Changes in Document / Discuss
 ion\n\n8. AOB\n\n9. Next meetinga \n\n9.1 Next meeting\n\nSu
 ggested is 2016-NOV-14\n\nRegistration Meeting #170:\nURL=ht
 tps://www.oasis-open.org/apps/org/workgroup/dss-x/event.php?
 event_id=43619\n\n9.2 Further upcoming Meetings\n\n\n* 2016-
 NOV-28 (#171)\n  URL=https://www.oasis-open.org/apps/org/wor
 kgroup/dss-x/event.php?event_id=43620\n\n* 2016-DEC-12 (#172
 )\n  URL=N/A\n\n* Winter-Break\n\n \nGroup: OASIS Digital Si
 gnature Services eXtended (DSS-X) TC\nCreator: Mr. Stefan Ha
 gen
URL:https://www.oasis-open.org/apps/org/workgroup/dss-x/event.php?event_id=43618
UID:https://www.oasis-open.org/apps/org/workgroup/dss-x/event.php?event_id=43618
BEGIN:VALARM
ACTION:DISPLAY
DESCRIPTION:REMINDER
TRIGGER;RELATED=START:-PT00H15M00S
END:VALARM
END:VEVENT
END:VCALENDAR