[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded
Hi all, I would like to make some comments on the dss requirements draft: 1. Line 194ff: I think that CMS/PKCS#7 is widely used and therefore important enough to be considered explicitely. Formats apart from XMLDSIG and CMS I deem to be beyond the scope of this TC. 2. Line 201f: Is it necessary to distinguish between a string and a SAML assertion? The former can be seen as a subset of the latter. 3. Line 217: There are additional use cases for time stamps (see the submision from Nick Pope: ETSI TS 101 903 (XAdES) [1]). 4. Line 230f: The cited ETSI specifications contain many useful attributes. I think we should discuss in detail which of those a DS service must understand/must be able to apply. 5. Line 245ff: My interpretation of plain and transformed is as follows: Plain - the requester submits the data and instructions which transforms have to be applied by the service prior to computing the digest; Transformed - the requester submits trans- form instructions together with the already transformed data, i. e. the service need not compute the transforms. Right? 6. Line 300: I cannot see any impressing arguments to support this. 7. Line 304ff: If we let the requester decide which dsig:References inside a dsig:SignedInfo should be verified, we are not conform with the processing model of XMLDSIG, which says that verifying a signature means verifying all References in SignedInfo. Regar- ding the verification of a dsig:Manifest, the requester should have the possibility to decide which dsig:References inside a dsig:Manifest should be verified; this makes sense taking into account the processing model of XMLDSIG. 8. Line 316ff: The question leaves open on which evidence the server bases its knowledge about the key compromise. In order to fullfil verification requests with a date in the past, the service must archive historical revocation information. Then it should be possible for the service to determine the revocation status at the requested verification time. 9. Line 321: I guess "transformed data" means the data used as input for computing the hash of a dsig:Reference? 10. Line 326: Reason codes should be elaborated in more detail. 11. Line 350ff: Additional query feature: Which signing keys can be used by the requestor? 12. Line 356f: Is it useful for the requester to know which sig algs and transforms the service supports for signature verification? What can the requester decide upon this information? I. e. isn't it sufficient to send a signature to the service and wait how the service responds (possibly with an error "do not support sig alg xy"? 13. Line 364: Profiling is fine, but I think there should be minimum requirements to be fulfilled by each DSS. 14. Some requirements I listed in my mail [2] have not been considered in the draft. Could you please either add the requirements or provide the motivation for not considering them? - req 2.1.2 - req 2.2.2 Regards, Gregor --- [1] http://lists.oasis-open.org/archives/dss/200212/msg00000.html [2] http://lists.oasis-open.org/archives/dss/200301/msg00016.html > -----Original Message----- > From: robert.zuccherato@entrust.com > [mailto:robert.zuccherato@entrust.com] > Sent: Monday, March 24, 2003 10:08 PM > To: dss@lists.oasis-open.org > Subject: [dss] Groups - dss-requirements-1.0-draft-02.doc uploaded > > > The document dss-requirements-1.0-draft-02.doc has been > submitted by Robert Zuccherato > (robert.zuccherato@entrust.com) to the Digital Signature > Services TC document repository. > > Document Description: > > > Download Document: > http://www.oasis-open.org/apps/org/workgroup/dss/download.php/ > 1182/dss-requirements-1.0-draft-02.doc > > View Document Details: > http://www.oasis-open.org/apps/org/workgroup/dss/document.php? > document_id=1182 > > > PLEASE NOTE: If the above links do not work for you, your > email application > may be breaking the link into two pieces. You may be able to > copy and paste > the entire link address into the address field of your web browser. > > -OASIS Open Administration >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]