[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ubl-security] R: [ubl-security] Security SC schedule
Dear Julián, I appreciate and share your committment in ensuring the signature interoperability, however I please ask you and all UBL Security members to limit our effort on recommending a clear methodology on using electronic signatures together with UBL, but we have to avoid the design of "profiles" which are a subsequent step and the responsability of implementers. Policies rules are a specific optional use of signatures and could be better regulated or even mandated by local countries or wider communities. UBL cannot endorse or impose a specific policy. We can however "suggest" best practices for specific business scenarios to achieve interoperability. We can suggest the ETSI specifications and profiles, but we can't have a full UBL profile, just one or two templates as a guide to implementers. Maybe a Policy "template" could be used just as a sample. Also I am not sure we can provide even a default implicit set of rules to be used in absence of a specific policy. UBL already handles the concepts of a "Profile", so an implicit set of rules (like signature policies) could be associated to a given profile (like NES or BII) by specifically using the cbc:UBLProfileID with a meaninful URI that precisely identifies that profile and scenario. I hope this mail is of help to concentrate our efforts on the main target which is to provide asap a simple guide to the UBL Community and a basement for Governments that are going to recommend the use of UBL and eSignatures. Best regards, Roberto Cisternino > Yes Andrea, you are right. > > BES is the minimum but a EPES signature gives the option to define a > policy. As in Italy, it is the case in Spain for facturae format which > should evolve to UBL soon. > > The EPES policy should stablish something like "certificate revocation > is checked before signing the UBL document" This does not provide > electronic evidence for the validity of the signature but it is simple > and mandates some requirements to the signing party which simplifies > relying party side if not whishing to check CRL or OCSP in buyer side. > > We have checked Oriol approach and have verified that it is compatible > with both UBL and TS 101 903, so enveloped signature can be part of an > UBL document. > > The second selection of XAdES-X-L (also an option in Spanish invoice > regulation), means that both timestamping and revocation check is > included in the signature of UBL document (invoice, order,...) . If this > kind of signature is done in the signer side, we have a "complete" > signature with full electronic evidence, so relaying party is freed of > knowing all possible signer CAs details. This is important since it is > usually easy for a signer to access to his/her CA OCSP and TSA services, > but can be a complex task for a receiving party to check certificate > validity in an environment in which you can have upto 20 CAs per country > (as in Spain), each with different language, roots URLs, Policies, CPS, > CRl URL or OCSL URL,... > > Both EPES and X-L policies can be defined in a way that makes > interoperability "easy", and we can provide tools for developers to test > their implementations (we have done so in our Faccil eInvoice > implementationn, which includes a SaaS validator) > > If everybody agrees with these approach, maybe these principles should > be included in the presentation you prepared. > > Best regads > > Julian Inza Aldaz > Presidente > *Albalia Interactiva, S.L.* -- * JAVEST by Roberto Cisternino * * Document Engineering Services Ltd. - Alliance Member * UBL Italian Localization SubCommittee (ITLSC), co-Chair * UBL Online Community editorial board member (ubl.xml.org) * Italian UBL Advisor Roberto Cisternino mobile: +39 328 2148123 skype: roberto.cisternino.ubl-itlsc [UBL Technical Committee] http://www.oasis-open.org/committees/ubl [UBL Online Community] http://ubl.xml.org [UBL International Conferences] http://www.ublconference.org [UBL Italian Localization Subcommittee] http://www.oasis-open.org/committees/ubl-itlsc [Iniziativa divulgativa UBL Italia] http://www.ubl-italia.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]