[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: [dss-comment] Public Comment
Forwarding information from netfocus regarding their implementation of DSS and plans to participate in the work of the grou. Nick -----Original Message----- From: Carlos González-Cadenas [mailto:gonzalezcarlos@netfocus.es] Sent: 13 January 2006 11:36 To: 'Nick Pope' Cc: cruellas@ac.upc.edu Subject: RE: [dss-comment] Public Comment Nick, Juan Carlos, I'm pleased to confirm you that my company is in process of joining OASIS, so that we can collaborate on the DSS TC. I hope to work with you in the TC ASAP. In the meantime, we at netfocus (my company) were working on a full DSS implementation. As we have some complex requirements for our product that are not covered in the DSS core, I have prepared three DSS profiles: *XSS: Contains some extensions to the DSS core. I think that it contains some "natural" (at least for me ;) ) extensions to the actual DSS that could be useful inside DSS (as you will see, this profile is used only to carry some useful things, and I think it could disappear if you consider that the additions are general enough). Also, some details are modified in the XAdES profile (minor additions, like identifiers for some forms that are not present in the document). *Compound Profile: This profile allows the client to request more than one DSS operation per roundtrip (very useful, especially in batch environments or when performing batch operations (very common in the banking and government sectors)). *Archive: Full signature archive protocol (the archive optional inputs for the signing/verifying profile are included in XSS). I think it's interesting to consider the archive protocol, as it's part from the signature lifecycle, and is a critical point for some kinds of signatures that must be preserved over long terms. I would be very happy if you can add your expert points of view to these docs. We also would like to share some comments with the TC regarding our experience implementing DSS. We would like, in the short term, to set up and host an open DSS service for testing purposes of the TC. Are you interested in that (maybe there's any other organization hosting this service)?. Also, are there any scheduled interop events scheduled?. Thank you very much in advance. Carlos PS: The schemas have to be modified including the definitive URIs for every imported schema. Carlos González-Cadenas Director Tècnic, DirecTrust Technical Director, DirecTrust netfocus Diagonal 188-198 Planta 2 08018 Barcelona tel: 902 303 393 fax: 902 303 394 gonzalezcarlos@netfocus.es www.netfocus.es -----Mensaje original----- De: Nick Pope [mailto:pope@secstan.com] Enviado el: miércoles, 24 de agosto de 2005 13:28 Para: gonzalezcarlos@netfocus.es CC: Juan Carlos Cruellas Asunto: Re: [dss-comment] Public Comment Carlos, I am very pleased to see the plans your company to implement the DSS protocol and your desire to collaborate on incorporating some support for signature archival. I suggest that the best way to collaborate would be join the DSS technical committee. We meet every 2 weeks on a phone conference and have ongoing discussions by email. Membership requires either you to be a member of OASIS either as an individual or through your company (see http://www.oasis-open.org/join/). As I mentioned in my earlier email, whilst supporting aspects of signature archiving may be of interest I must point out that a full archiving protocol is beyond the scope of the group. So I would expect that any DSS standardisation activities would be limited in scope to those relating to signing and verifying protocols, although the private extensions are not ruled out by the protocol. If your company is implementing DSS, I would also expect that there would be benefit anyway in participation in getting a deep understanding of the issues which could have implications on implementing the protocol as well as the future directions of work in DSS. Regards Nick Pope > -----Original Message----- > From: Carlos González-Cadenas [mailto:gonzalezcarlos@netfocus.es] > Sent: 23 August 2005 17:32 > To: 'Nick Pope' > Subject: RE: [dss-comment] Public Comment > > > Nick, > > We're actually implementing a product that will include support for DSS, > particularly, a profile of the XADeS profile of DSS. > > Our product will have server-side signature creation/validation > capabilities, signature long-term archiving, certificate validation > capabilities, .... > > Our goal is dual: to be able to fully comply with the DSS > protocol and also > to be able to expose the full power of our server by means of an unified > protocol (if possible DSS). > > We're actually considering for DSS > > *Certificate Validation (in the Verification protocol), using > <ds:X509Certificate> or <ds:X509Data> in the <dss:SignatureObject> and > creating several optional inputs / optional outputs to customize the > behaviour of the certificate validation algorithm (i.e. certificate > policies, name constraints, ...). > > *Signature Archival. In several ways > > *directly: creating a new protocol i.e. DSS Archiving Protocol, with > primitives to request > *the archival of a signature, > *the verification of an archived signature, > *the removal of a signature previously archived, > *optionally others, like modify the archival policy of an > object > > *indirectly: through the sign/verify protocols > *requesting the server to archive the signature after its > creation > > *requesting the server to archive the signature after its > verification > > *Support for signature policies (sign/verify protocols) > > We would like to be able to collaborate with you in the > definition of these > things if you're interested, as we would like to remain fully compatible > with DSS. > > What's the best way to accomplish these goals? (i.e. create a DSS profile, > ...). What are the requirements for being able to publish a DSS profile / > collaborate with you in the TC? (if possible) > > Many thanks in advance and thank you for your time, > > Best regards, > > Carlos > > Carlos González-Cadenas > Director Tècnic, DirecTrust > Technical Director, DirecTrust > > netfocus > Diagonal 188-198 Planta 2 > 08018 Barcelona > tel: 902 303 393 > fax: 902 303 394 > gonzalezcarlos@netfocus.es > www.netfocus.es > > -----Mensaje original----- > De: Nick Pope [mailto:pope@secstan.com] > Enviado el: martes, 23 de agosto de 2005 15:48 > Para: gonzalezcarlos@netfocus.es; dss-comment@lists.oasis-open.org; OASIS > DSS TC > Asunto: RE: [dss-comment] Public Comment > > Carlos, > > Thanks for your comments. > > Firstly, we are aware of the problem with Unique Particle Attribution and > this will be addressed in the next Commitee draft to be issued shortly. > > Secondly, your suggestion regarding archiving signatures is > interesting. I > don't believe that a full archive protocol would be within the scope but > they may be aspects of archiving signatures that warrent inclusion. > > Nick > > > -----Original Message----- > > From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] > > Sent: 22 August 2005 09:19 > > To: dss-comment@lists.oasis-open.org > > Subject: [dss-comment] Public Comment > > > > > > Comment from: gonzalezcarlos@netfocus.es > > > > Name: Carlos González-Cadenas > > > > Title: Technical Director > > > > Organization: netfocus > > > > Regarding Specification: DSS Comittee Draft 2 > > > > > > > > Hi all, > > > > > > > > First of all, I would like to report a XML Schema constraint > > violation (Unique Particle Attribution) > > (http://www.w3.org/TR/xmlschema-1/#cos-nonambig), in the elements > > "InputDocuments" and "Timestamp", in particular with <xs:any > > processContents="lax"/> > > > > > > > > This problem is easily resolved for "InputDocuments" using > > namespace=”##other”, but is somewhat more complicated for the > > Timestamp element (maybe requiring some structural redefinition). > > > > > > > > Also, I would like to know if you are thinking about extending > > the protocol suite included in DSS, for example, adding a > > signature archive protocol, very useful for providing signature > > archiving/long-term archiving. > > > > > > > > Kind regards, > > > > > > > > Carlos > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dss-comment-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: dss-comment-help@lists.oasis-open.org > > > > > > > > > > >
<?xml version="1.0" encoding="UTF-8"?> <!-- Compound Request/Response Profile of the OASIS DSS Schema v1.0--> <!--Author: Carlos González-Cadenas--> <!--Date: December 2005--> <xs:schema targetNamespace="urn:oasis:names:tc:dss:1.0:profiles:archive" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xades="http://uri.etsi.org/01903/v1.2.2#" xmlns="urn:oasis:names:tc:dss:1.0:profiles:archive" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="dss-v1.0-core-schema-cd-r03.xsd"/> <xs:element name="CompoundRequest"> <xs:complexType> <xs:sequence> <xs:element ref="dss:OptionalInputs" minOccurs="0"/> <xs:element name="Requests" type="dss:AnyType"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="CompoundResponse"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:ResponseBaseType"> <xs:sequence> <xs:element name="Responses" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> </xs:schema>
<?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v4.1 U (http://www.xmlspy.com) by Nasdaq Boom (World of Cracking) --> <!-- XSS Profile of the OASIS DSS Schema v1.0--> <!--Author: Carlos González-Cadenas--> <!--Date: December 2005--> <xs:schema targetNamespace="urn:oasis:names:tc:dss:1.0:profiles:XSS" xmlns:archp="urn:oasis:names:tc:dss:1.0:profiles:archive" xmlns:tsl="http://uri.etsi.org/02231/v1.0bis 2005-04#" xmlns:dss="http://www.docs.oasis-open.org/dss/oasis-dss-1.0-core-schema-cd-02.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xades="http://uri.etsi.org/01903/v1.2.2#" xmlns:saml20="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="urn:oasis:names:tc:dss:1.0:profiles:XSS" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> <xs:import namespace="http://uri.etsi.org/01903/v1.2.2#" schemaLocation="http://uri.etsi.org/01903/v1.2.2/XAdES.xsd"/> <xs:import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="http://docs.oasis-open.org/dss/v1.0/dss-v1.0-core-schema-cd-r03.xsd.xml"/> <xs:import namespace="http://uri.etsi.org/02231/v1.0bis 2005-04#" schemaLocation="TS101231v1_2_1.xsd"/> <xs:import namespace="urn:oasis:names:tc:dss:1.0:profiles:archive" schemaLocation="oasis-dss-1.0-profiles-archive-schema-wd01.xsd"/> <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/> <xs:element name="SignaturePolicy"> <xs:complexType> <xs:complexContent> <xs:extension base="xades:ObjectIdentifierType"> <xs:attribute name="allowPolicyMappings" type="xs:boolean" use="optional" default="false"/> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="SignaturePolicyInfo"> <xs:complexType> <xs:sequence> <xs:element name="SignaturePolicyIssuer" type="xs:string"/> <xs:element name="SignaturePolicyIdentifier" type="xades:ObjectIdentifierType"/> <xs:element name="SignaturePolicyDigestAlgorithm" type="xades:ObjectIdentifierType"/> <xs:element name="SignaturePolicyDigestValue" type="ds:DigestValueType"/> <xs:element ref="ds:Transforms" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ReturnSignedResponse"> <xs:complexType> <xs:sequence> <xs:element name="RequiredCommitments" minOccurs="0"> <xs:complexType> <xs:sequence> <xs:element name="CommitmentType" type="xsp:CommitmentType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ResponseSignature"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Signature"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ReturnSignatureInfo"> <xs:complexType> <xs:sequence> <xs:element name="AttributeDesignator" type="saml20:AttributeType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignatureInfo"> <xs:complexType> <xs:sequence> <xs:element name="Attribute" type="saml20:AttributeType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="BinaryAttributeValueType"> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="Attribute" type="xs:anyURI" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:element name="ReturnX509CertificateInfo"> <xs:complexType> <xs:sequence> <xs:element name="AttributeDesignator" type="saml20:AttributeType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="X509CertificateInfo"> <xs:complexType> <xs:sequence> <xs:element name="Attribute" type="saml20:AttributeType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Scheme"/> <xs:element name="SchemeInfo"> <xs:complexType> <xs:sequence> <xs:element name="SchemeName" type="tsl:InternationalNamesType"/> <xs:element name="TSLSequenceNumber" type="xs:integer"/> <xs:element name="TSLDigestAlgorithm" type="xades:ObjectIdentifierType"/> <xs:element name="TSLDigestValue" type="ds:DigestValueType"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="X509CertificateValidationOptions" type="xsp:CertificateTrustTreesType"/> <xs:element name="RequireQualifiedCertificate"/> <xs:element name="Archive"> <xs:complexType> <xs:sequence> <xs:choice> <xs:element ref="archp:ArchivePolicy" minOccurs="0"/> <xs:element ref="archp:RetentionPeriod" minOccurs="0"/> </xs:choice> <xs:element ref="archp:UpdateSignature" minOccurs="0"/> <xs:element ref="archp:ArchiveMode" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ArchiveInfo"> <xs:complexType> <xs:sequence> <xs:element name="ArchiveIdentifier"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="CounterSignature"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF" use="required"/> </xs:complexType> </xs:element> <xs:element name="ParallelSignature"/> </xs:schema>
<?xml version="1.0" encoding="UTF-8"?> <!-- Signature Archive Profile of the OASIS DSS Schema v1.0--> <!--Author: Carlos González-Cadenas--> <!--Date: December 2005--> <xs:schema targetNamespace="urn:oasis:names:tc:dss:1.0:profiles:archive" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xades="http://uri.etsi.org/01903/v1.2.2#" xmlns="urn:oasis:names:tc:dss:1.0:profiles:archive" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="dss-v1.0-core-schema-cd-r03.xsd"/> <xs:import namespace="http://uri.etsi.org/01903/v1.2.2#" schemaLocation="XAdES.xsd"/> <xs:element name="ArchiveSubmitRequest"> <xs:complexType> <xs:sequence> <xs:element ref="dss:OptionalInputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ArchiveSubmitResponse"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:ResponseBaseType"> <xs:sequence> <xs:element name="ArchiveIdentifier" type="ArchiveIdentifier" minOccurs="0"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="ArchiveRetrievalRequest" type="ArchiveIdentifierRequest"/> <xs:element name="ArchiveRetrievalResponse"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:ResponseBaseType"> <xs:sequence> <xs:element ref="dss:SignatureObject" minOccurs="0"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="ArchiveDeleteRequest" type="ArchiveIdentifierRequest"/> <xs:element name="ArchiveDeleteResponse"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:ResponseBaseType"> <xs:sequence> <xs:element ref="dss:SignatureObject" minOccurs="0"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="ArchiveModifyRequest" type="ArchiveIdentifierRequest"/> <xs:element name="ArchiveModifyResponse" type="dss:ResponseBaseType"/> <xs:simpleType name="ArchiveIdentifier"> <xs:restriction base="xs:string"/> </xs:simpleType> <xs:element name="ArchivePolicy" type="xades:ObjectIdentifierType"/> <xs:element name="RetentionPeriod" type="xs:duration"/> <xs:element name="UpdateSignature"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <xs:element name="ArchiveMode" type="xs:anyURI"/> <xs:complexType name="ArchiveIdentifierRequest"> <xs:sequence> <xs:element ref="dss:OptionalInputs" minOccurs="0"/> <xs:element name="ArchiveIdentifier" type="ArchiveIdentifier"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:schema>
oasis-dss-1.0-profiles-XSS-spec-wd02.doc
oasis-dss-1.0-profiles-archive-spec-wd01.doc
oasis-dss-1.0-profiles-compound-spec-wd01.doc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]