[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss]: A first quick Shot at section 4.4 and section 4.6.1
Hi Tommy and all,
please find comments below.
regards
Konrad
Tommy Lindberg wrote:
> Section 2.6 starting at line 551.
>
> ""
> The <ResultMajor> and <ResultMinor> URIs MUST be values defined by
> this specification
> or by some profile of this specification. The <ResultMajor> values
> defined by this specification are:
>
> urn:oasis:names:tc:dss:1.0:resultmajor:Success
> The protocol executed successfully.
>
> urn:oasis:names:tc:dss:1.0:resultmajor:RequesterError
> The request could not be satisfied due to an error on the part of the
> requester.
>
> urn:oasis:names:tc:dss:1.0:resultmajor:ResponderError
> The request could not be satisfied due to an error on the part of the
> responder.
What about the <ResultMinor> values if the <ResultMajor> code is
ResponderError?
How about this?
""
The following <ResultMinor> values SHALL only be
returned when the <ResultMajor> code is ResponderError.
urn:oasis:names:tc:dss:1.0:resultminor:ResponderException
The processing of your request caused an exceptional state. Further
Information should be given in the result message instructing the user
to provide information to the relevant administrator.
urn:oasis:names:tc:dss:1.0:resultminor:OutOfServiceHours
The the service is currently not operating.
urn:oasis:names:tc:dss:1.0:resultminor:Maintenance
The the service is currently under Maintenance.
""
etc..
We should also add the following <ResultMajor>
""
urn:oasis:names:tc:dss: 1.0:resultmajor:InsufficientInformation.
The request could not be satisfied due to insufficient information.
""
plus the following <ResultMinor> values.
""
The following <ResultMinor> values SHALL only be
returned when the <ResultMajor> code is InsufficientInformation.
urn:oasis:names:tc:dss:1.0:resultminor:CrlNotAvailiable
The relevant certificate revocation list was not available for checking.
urn:oasis:names:tc:dss:1.0:resultminor:OcspNotAvailiable
The relevant revocation information was not available via the online
certificate status protocol.
urn:oasis:names:tc:dss:1.0:resultminor:CertificateChainNotComplete
The chain of trust could not be established binding the public key used
for validation to a trusted root certification authority via potential
intermediate certification authorities.
""
etc ...
> [...] Section 4.4 in its entirety.
> ""
> [...]
> urn:oasis:names:tc:dss: 1.0:resultminor:valid:signature:OnTransformedDocuments
> The signature or timestamp is valid. Furthermore, the signature or
> timestamp covers all of the
> input documents. However, some or all of the input documents have
> additional transforms applied
> to them that were not specified by the client.
My view is that
urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:OnTransformedDocuments
should be removed, as the client does not specify transforms on a verify
request and a server only performs the transforms
inside<ds:Reference>/<ds:Transforms>.
> urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:HasManifestResults
> The signature is valid with respect to XML Signature core validation.
> In addition, the message also
> contains VerifyManifestResults.
> [...]
> urn:oasis:names:tc:dss:1.0:resultminor:inappropriate:signature
> The signature or its contents are not appropriate in the current
> context. For example, the
> signature may be associated with a signature policy and semantics
> which the DSS server
> considers unsatisfactory.
> ""
This should be moved up to section 2.6 and associated with RequesterError.
>
> Section 4.6.2
>
> ""
> For example, if a client supplies the optional input
> <VerifyManifests>, then the returned
> <ResultMinor> is
> urn:oasis:names:tc:dss:1.0:resultminor:valid:hasManifestResults
for positive XMLDSig core validation
> and the
> optional output <VerifyManifestResults> is returned indicating the
> status of the manifest reference
> verification.
> ""
In case of a negative XMLDSig core validation the relevant <ResultMinor>
urn:oasis:names:tc:dss:1.0:resultminor:invalid:* is to be returned.
>
> Section 4.6.4
>
> The granularity of the *Detail in <ProcessingDetails> should, in the
> case of a Manifest, be per
> Reference; to reflect this I suggest changing the text on lines 1703
> and 1704 from
>
> ""
> urn:oasis:names:tc:dss:1.0:detail:Manifest
> Whether the manifests in the XML signature verified correctly.
> ""
>
> to
>
> ""
> urn:oasis:names:tc:dss:1.0:detail:ManifestReference
> Whether a manifest reference in the XML signature verified correctly.
> ""
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]