RE: [dss] XML Time-sstamp and implied references. - related problems

["Nick Pope" <pope@secstan.com>]

Juan Carlos and all,

I agree with the comment.  I think that this can be deleted as this is
already covered by 3.3.1 item 1d i:
"i.	If the <Document> has a RefURI attribute, the <ds:Reference> element’s
URI attribute is set to the value of the RefURI attribute, else this
attribute is omitted.
A signature MUST NOT be created if more than one RefURI is omitted in the
set of input documents and the server MUST report a RequesterError."

I note however that there a few related issues

Related problem 1 - No refURI in <DocumentHash> and <TransformedData>

There is a related in problem with handling <DocumentHash> (as well as
transformed data) as 3.3.6 (and 3.3.5) reference 3.3.1 item 1d which
includes the processing of RefURI in <Document>.  However, <DocumentHash>
and <TransformedData> are both defined as an element of <InputDocument>
instead of <Document>, and so does not have the attribute RefURI.

Thus, I suggest that <DocumentHash> and <TransformedData> are both made
elements of <Document>.

Related problem 2 - 2.4.3 Definition of <TransformedData>

This says name="DocumentHash" should be name="TransformedData"  (presumeably
cut and past error).

Related problem 3 - 4.3.2.2 Item 11

This does not cover all the different ways of passing the Input Document
(including Hash).  I suggest that this references the general signature
verification procedures in 4.3.

Related Problem 4 - 4.3 Item 2.  This does not cover the case of implied
reference.

Suggest add "The RefURI MAY be omitted in at most one of the set of Input
documents.  "

Nick

> -----Original Message-----
> From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
> Sent: 17 February 2006 13:26
> To: DSS TC List
> Subject: [dss] XML Time-sstamp and implied references.
>
>
> Dear all,
>
> The core document, in its section 5.1.1 mandates that
>
> "For every input document being timestamped, there MUST be a single
> <ds:Reference> element whose URI attribute references the document".
>
> I think that we should not be so restrictive. XMLDSIG allows for
> ds:Reference elements without URI attributes, leaving the applications
> the task of actually retrieving the  documents. My opinion is that we
> should also replicate this behaviour and allowing ds:Reference without
> URI attributes for those situations (like XAdES signatures, for
> instance) where applications making use of the time-stamps already know
> how to get the time-stamped data objects and how to compute the
> messageImprint.
>
> Regards
>
> Juan Carlos.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your
> TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>