[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: R: [ubl-security] R: [ubl-security] Security SC schedule
Julián, the specific format you
use deals more with the semantic of the document (an order is different from an
invoice) and local regulations ( If we suggest to use
EPES, I’m sorry but this specification becomes practically inapplicable
in About signature policy,
there was endless discussions in ETSI, this because we can NEVER force with a
technicality any technical regulation. If you look at CEN best
practices they require the eInvoice recipient has to verify the signature, you
can’t change this with a signature policy (technically you can, legally
not). If we take into account eInvoicing,
if I receive an einvoice from your company I know you must insert a security
policy because of your regulations and I must accept it, on the opposite if you
receive an einvoice from my company you have to accept it without a signature
policy. For an order, it’s
up to the parties to have an agreement that specify what to do. Even PEPPOL, that support
the concept of signature policy, does not prescribe to insert it into
signatures: http://www.peppol.eu/deliverables/wp-1/d1-1-part-3-signature-policies In future they will rely
on Service Directive Expert Group prescriptions and, if nothing changed, they
ask support for BES in creation and C in verification. Consider also that EU is
adopting TSL and this will for sure change something in the ways we verify
signatures. In Italy CRLs will keep revoked certificates also after expiration,
this way the verifier has no reason to keep CRLs for every signature it
verifies, ETSI rules will change to take this into account. Also for signature verification
and document archiving it’s better to avoid any prescription. There are a
lot of good ways to deal with this problem and many specific ways to do it and
local rules. I think we have to
profile: -
to use enveloped signature (for the reason I already explained) -
how to reference the signature from cac:signature to bind the
signature to the document (in case there is more than one, you must know what
is the real one) -
to state that, depending on business requirements, the profile
support parallel signatures, countersignatures, timestamping and all formats I read Faccil case study
and I fount it very interesting, but you really can’t impose a model,
even if it’s a good one, because it can’t be applied to any
context. I hae a lot of experience in standard bodies and it simply does not
work. Regards, Andrea Caccia -------- -------- Da: Julián Inza
[mailto:julian.inza@albalia.com] Yes Andrea, you are
right. Julian Inza Aldaz Andrea Caccia escribió: I was working on the same subject but I’m afraid I
didn’t have enough time until now. In previous emails we exchanged some point where
we reached some consensus: -
to recommend enveloped
signature, respecting UBL syntax and XAdES syntax, so that an UBL tool can
validate a signed UBL, and a XAdES tool can verify an UBL document -
to avoid to prescribe any
specific envelope. XAdES-BES is the minimum, but we should avoid to give too
much detalil because they depend on the kind of document, national regulations,
other standard body activities (i.e. CEN eInvoicing2). Maybe we can raccomand
to use XAdES-BES for signature generation whenever possible to achieve the
widest possible interoperability and suggest TS 102 904 as general best
practice for implementations. About signature policies, do you think we need
them? New Italian rules (due for publication very soon) explicitly XAdES-EPES... Regards, Andrea -------- -------- Da: Julián Inza [mailto:julian.inza@albalia.com] Hello Jon, Julian Inza Aldaz Jon Bosak
escribió: Hello UBL Security
Subcommittee, |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]