RE: [dss] Text as required by action 06-06-05-02

["Nick Pope" <nickpope@secstan.com>]

All,

Following on from yesterday's call, I have made a few further updates to
these proposals and added the text for RFC 3161 on XML signatures as in
attached word document.

Nick

> -----Original Message-----
> From: Nick Pope [mailto:nickpope@secstan.com]
> Sent: 12 June 2006 16:53
> To: OASIS DSS TC; Juan Carlos Cruellas
> Subject: FW: [dss] Text as required by action 06-06-05-02
>
>
>
> Juan Carlos,
>
> As we discussed following Inmas comment on RFC 3161 timestamp on
> XML signatures and looking into your proposals, I suggest:
>
> a) That we reword 3.5.2.2 (and the equivalent in section 4) to
> explicetly cover the case of XML Timestamps on XML Signatures
>
> b) That we add a 3.5.2.3 (and equivalent in section 4) to cover
> the case of RFC 3161 Timestamps on XML Signatures
>
> c) That these clauses be re-worded to apply IF the type attribute
> is RFC 3161 / XMLtimestamp urn as appropriate (leaving open for
> other timestamp types).
>
> See below specific revisions to your proposals.
>
> Nick
>
> > -----Original Message-----
> > From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
> > Sent: 09 June 2006 16:30
> > To: 'OASIS DSS TC'
> > Subject: [dss] Text as required by action 06-06-05-02
> >
> >
> > Dear all,
> >
> > According to what we agreed in our last conf call below follow
> proposals
> > for changes in the core so that
> > signature time-stamps in XML management refers to XAdES.
> >
> > While re-reading the related parts I have also noticed some things that
> > I think should be changed.
> >
> > Below follows the list of things that I propose we should change. There
> > are references to line numbers and
> > sections. After that I make a cross-check with some of the comments
> > raised in the public comments list so that
> > we can agree whether they are suitably treated by the proposed text.
> > Please note that I am working on CD 4 document.
> >
> >
> > ------------------------------------
> >
>
> > 1. Section 3.5.2 line 1025. Page 26.
> >
> > Original text: "In particular the DSS XAdES profile [DSS-XAdES-P]..."
> >
> > Proposed text: "In particular the DSS AdES profile [DSS-AdES-P]..."
> >
> > RATIONALE: The title of the profile has actually changed to AdES as it
> > contains details for XAdES and CAdES
> > signatures. The reference itself should also be changed. See note for
> > change at the end of the list.
> >
> > -------------------------------------
> >
> > 2. Section 3.5.2 line 1038. Page 26
> >
> > Original text: "Two scenarios for the timestamping of CMS
> sigantures are
> > supported...."
> >
> > Proposed text: "Two scenarios for the timestamping of both CMS and XML
> > sigantures are supported...."
> >
> > RATIONALE: Certainly the cores is supporting the timestamping of both
> > types of signatures. Not mentioning
> > the XML signature would be misleading.
> >
> > -------------------------------------
> >
> 3. Add below
> "The following subsections specify the use of RFC 3161 timestamps
> with CMS signatures and the use of XML Timestamps or RFC 3161
> timestamps for both scenarios."
>
>
> 4 Line 1060 Change title to:
> "3.5.2.2 Processing for XML Timestamps on XML signatures"
>
> > 5. Section 3.5.2.2 lines 1068 to 1072 page 27
> >
> > Proposal. Substitute the whole paragraph from these lines to the
> > following one:
> >
> > "The present specification defines a format for XML timestamp
> tokens. In
> > addition
> > XAdES defines a mechanism for incorporating signature timestamps in XML
> > signatures.
> [Previous proposal to be replaced as below]
>
> If the type attribute in optional input is
> urn:oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken then the
> signature format
> MUST be as a <dss:timestamp> as define section 5.1 placed in a
> <xades:XMLTimeStamp> within a <xades:SignatureTimeStamp> as
> defined in [XAdES]. "
>
> >
> > RATIONALE: This text clearly indicates our resolution, ie:
> >
> > 	. Any XML time-stamp over the signature is created, MUST follow the
> > syntax that we define;
> > 	. Incorporation must be as specified in XAdES.
> >
> > -------------------------------------
> >
> > 6. Section 3.5.2.2 line 1078, page 27
> >
> > Original text: "urn:ietf:rfc:3275"
> >
> > Proposed text:
> "urn:oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken"
> >
> > RATIONALE: I think that the previous value was a mistake: it identified
> > a XML signature, not the XML time-stamp
> > token, as it must do.
> >
>
> 7. Add section 3.5.2.3  Processing for RFC 3161 Timestamps on XML
> signatures
>
> [New text to be produced based on existing 3.5.2.2]
>
> > -------------------------------------
>
> 7+.  Replace line 1523, 1524 with
>
>  - RFC 3161 Timestamps on CMS signatures
>  - XML Timestamps on XML Signatures
>  - RFC 3161 Timestamps on XML Signatures
>
> >
> > 8. Section 4.3.2 line 1524 page 37
> >
> > Original text: "XML signature timestamp tokens"
> >
> > Proposed text: "XML timestamps tokens on XML signatures"
> Delete "-" in "time-stamp" and corrected spelling in original
>
> >
> > RATIONALE: Actually the case that we are dealing with is the signature
> > time-stamp token in XML syntax for
> > XML signatures, and the former text was not completelly clear on what
> > was XML the signature, the time-stamp
> > or both. I think that the proposed text is clearer.
> >
> > -------------------------------------
> >
> > 9. Section 4.3.2 line 1528, page 37
> >
> > Original text: "the DSS XAdES profile defines"
> >
> > Proposed text: "the DSS AdES profile [DSS-AdES-P] defines"
> >
> > RATIONALE: As in proposal 1.
> >
> > -------------------------------------
> >
> > 10. Section 4.3.2.2 line 1556 page 38
> >
> > Original text: "Processing for XML timestamp tokens"
> >
> > Proposed text: "Processing for XML timestamps tokens on XML signatures."
> >
> > RATIONALE: In the line of what I said in proposal 6.
> >
> >
> > -------------------------------------
> >
> > 11. Section 4.3.2.2 line 1557, page 38
> >
> > Original text: "The present setion describes the processing rules for
> > verifying and XML Signature timestamp
> > token embedded within an XML signature as an unsigned property."
> >
> > Proposed text 1 : "The present setion describes the processing
> rules for
> > verifying and XML Signature timestamp
> > token embedded within an XML signature using the incorporation
> > mechanisms specified in XAdES."
> >
> > Proposed text 1 : "The present setion describes the processing
> rules for
> > verifying and XML Signature timestamp
> > token embedded within an XML signature using the incorporation
> > mechanisms specified in XAdES (i.e., in the
> > <xades:XMLTimeStamp> <xades:SignatureTimeStamp> element's child )."
> >
> > RATIONALE: As agreed explicit mention to XAdES as for how the XML
> > time-stamp must come within the XML signature.
> > The only doubt I have is about the degree of detail. That is why there
> > are two proposed text, being the second
> > more detailed, as it explicitly mentions where the XML time-stamp token
> > will appear... We can talk on them in
> > the conf call.
> >
>
> 12) Add new section 4.3.2.3 XML timestamps tokens on XML signatures
>
> [Text to be produced based on 4.3.2.1 & 4.3.2.2
> >
> > A. PROPOSALS FOR CHANGES
> >
> > -------------------------------------
> >
> > 9. Section 4.3.2.2 line 1573, page 38
> >
> > Original text: "Verify that one of the <ds:Reference> element has ...."
> >
> > Proposed text: "Verify that one of the <ds:Reference> elements has ...."
> >
> > RATIONALE: It must be plural.
> >
> >
> > -------------------------------------
> >
> > 10. Section 4.3.2.2 line 1585 to 1592, page 39
> >
> > Original text: the whole steps 7 and 8
> >
> > Proposed text:
> >
> > "7. Take each of the other <ds:Reference> elements and for each one
> > proceed to its validation as specified in [XMLSig].
> >
> > 8. Check that for one of the <ds:Reference> elements the retrieved data
> > object is actually
> > the <ds:SignatureValue> element and that it contains its digest after
> > canonicalization.
> >
> > 9. Set the <dss:Result> element as appropiate"
> >
> >
> > RATIONALE: The former text was inconsitent with the text in 1571, where
> > we said "the <ds:SignedInfo>
> > contains at least two <ds:Reference> elements". Former step 7 began
> > "Take the other <ds:Reference>" when
> > there could actually be more than one.
> >
> > ADDITIONAL ISSUE: I would like to bring your attention to the proposed
> > text in step 8. I tried to say that
> > one of the <ds:Reference> elements must contain the digest of the
> > canonicalized <ds:SigantureValue> value. Do
> > you think that the writing is accurate and clear enough?.
> >
> >
> > -------------------------------------
> >
> >
> > 11. Section 8, Line 2051. Page 24.
> >
> > Original text: "[DSS-XAdES-P] JC cruellas et al. DSS XAdES Profile.
> > OASIS, April 2006"
> >
> > Proposed text: "[DSS-AdES-P] JC cruellas et al. "Advanced Electronic
> > Signature Profiles of the OASIS Digital Signature Service" "
> >
> >
> >
> > B. CROSS-CHECK WITH COMMENTS:
> >
> >
> > -------------------------------------
> >
> > 1. COMMENT BY INMA MARIN OF MAY 16TH.
> >
> > She says "there is no indication on how a <SignRequest> should be
> > created so as to get the timestamping of an existing
> > XML signature from the DSS server".
> >
> > a. Line 1038 in 3.5.2, changed as suggested in proposal 2 would read
> >
> > "Two scenarios for the timestamping of both CMS and XML sigantures are
> > supported...."
> >
> > It is pretty clear now the the core actually supports XML signatures
> > timestamping.
> >
> > b. Lines 1075 to 1077 (untouched) read
> >
> > "In scenario b) the incoming signature MUST be passed in on one of the
> > following three elements
> > <EscapedXML>, <InlineXML> or <Base64XML>"
> >
> > this instructs readers on how to include the XML signature in
> the request.
> >
> > c. New line 1077-1078 changed as suggested in proposal 4 will read:
> >
> > "The Type attribute of the <AddTimeStamp> optional input SHALL
> be set to:
> > 	urn:oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken"
> >
> > There was a wrong URI here, the one of XMLSig, which contributed to
> > increase confusion here....
> >
> > I think that with the two highligthed  changes it should be
> pretty clear
> > how to request a XML timestamp on a XML signature.
> >
> >
> > Regards
> >
> > Juan Carlos.
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your
> > TCs in OASIS
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> >
> >

dss-core-signaturetimestamp-rev-b.doc