dss message

Subject: Action [Konrad] enable DocumentWithSignature for VerifyResponse,put before 4.6.7

From: Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>
To: DSS TC List <dss@lists.oasis-open.org>
Date: Mon, 03 Jul 2006 18:20:42 +0200

Dear all,

a text draft proposal for the end of section 4.6.7

Konrad


4.6.7 Optional Input <ReturnUpdatedSignature> and Outputs
<DocumentWithSignature>,
<UpdatedSignature>.

[...]

<UpdatedSignature>/<SignatureObject> [Optional]
The resulting updated signature or timestamp or, in the case of a
signature being
enveloped in an output document, a pointer to the signature.

A DSS server SHOULD perform the following steps, upon receiving a
<ReturnUpdatedSignature>. These steps may be changed or overridden by a 
profile or
policy the server is operating under. (e.g  For PDF documents enveloping 
cms
signatures)


1. If the signature to be verified and updated appears within a 
<SignatureObject>'s
    <ds:Signature> (detached or enveloping) or <Base64Signature> then the
    <UpdatedSignature> optional ouput MUST contain the modified 
<SignatureObject>
    with the corresponding <ds:Signature> (detached or enveloping) or
    <Base64Signature> child containing the updated signature.
2. If the signature to be verified and updated is enveloped, and if the
    <VerifyRequest> contains a <SignatureObject> with a <SignaturePtr> 
pointing to
    an <InputDocument> (<Base64XML>, <InlineXML>, <EscapedXML>) 
enveloping the
    signature then the server MUST produce the following TWO optional 
outputs, first
    a <DocumentWithSignature> optional output containing the document 
that envelopes
    the updated signature, second an <UpdatedSignature> optional output 
containing a
    <SignatureObject> having a <SignaturePtr> element that MUST point to 
the former
    <DocumentWithSignature>.
3. If there is no <SignatureObject> at all in the request then the 
server MUST
    produce only a <DocumentWithSignature> optional output containing 
the document
    beeing updated signature. No <UpdatedSignature> element will be 
generated.

ad 2.) and 3.)

The <DocumentWithSignature> optional output (for the schema schema refer 
to section
3.5.8) contains the input document with the given signature inserted. It 
has one
child element:
   <Document> [Required]
     This returns the given document with a signature inserted in some 
fashion.

The resulting document with the updated enveloped signature is placed in 
the optional
output <DocumentWithSignature>. The server places the signature in the 
document
identified using the <SignatureObject>/<SignaturePtr>'s WhichDocument 
attribute.
This <Document> MUST include a “same-document” RefURI attribute which 
references the
data updated (e.g of the form RefURI=“”).
In the case of a non-XML input document.

Follow-Ups:
- Action [Konrad-JC] new wordings for sections 4.6.7 and 4.6.9
  - From: Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>