OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ubl-security] R: [ubl-security] Security SC schedule

Dear Julián,

I appreciate and share your committment in ensuring the signature
interoperability, however I please ask you and all UBL Security members to
limit our effort on recommending a clear methodology on using electronic
signatures together with UBL, but we have to avoid the design of
"profiles" which are a subsequent step and the responsability of
implementers.

Policies rules are a specific optional use of signatures and could be
better regulated or even mandated by local countries or wider communities.

UBL cannot endorse or impose a specific policy.

We can however "suggest" best practices for specific business scenarios to
achieve interoperability.

We can suggest the ETSI specifications and profiles, but we can't have a
full UBL profile, just one or two templates as a guide to implementers.

Maybe a Policy "template" could be used just as a sample.

Also I am not sure we can provide even a default implicit set of rules to
be used in absence of a specific policy.

UBL already handles the concepts of a "Profile", so an implicit set of
rules (like signature policies) could be associated to a given profile
(like NES or BII) by specifically using the cbc:UBLProfileID with a
meaninful URI that precisely identifies that profile and scenario.

I hope this mail is of help to concentrate our efforts on the main target
which is to provide asap a simple guide to the UBL Community and a
basement for Governments that are going to recommend the use of UBL and
eSignatures.

Best regards,

Roberto Cisternino

> Yes Andrea, you are right.
>
> BES is the minimum but a EPES signature gives the option to define a
> policy. As in Italy, it is the case in Spain for facturae format which
> should evolve to UBL soon.
>
> The EPES policy should stablish something like "certificate revocation
> is checked before signing the UBL document" This does not provide
> electronic evidence for the validity of the signature but it is simple
> and mandates some requirements to the signing party which simplifies
> relying party  side  if not whishing to check CRL or OCSP in  buyer side.
>
> We have checked Oriol approach and  have verified that it is compatible
> with both UBL and TS 101 903, so enveloped signature can be part of an
> UBL document.
>
> The second selection of XAdES-X-L (also an option in Spanish invoice
> regulation), means that both  timestamping and revocation check is
> included in the signature of UBL document (invoice, order,...) . If this
> kind of signature is done in the signer side, we have a "complete"
> signature with full electronic evidence, so relaying party is freed of
> knowing all possible signer CAs details. This is important since it is
> usually easy for a signer to access to his/her CA OCSP and TSA services,
> but can be a complex task for a receiving party to check certificate
> validity in an environment in which you can have upto 20 CAs per country
> (as in Spain), each with different language, roots URLs, Policies, CPS,
> CRl URL or OCSL URL,...
>
> Both EPES and X-L policies can be defined in a way  that  makes
> interoperability "easy", and we can provide tools for developers to test
> their implementations (we have done so in our Faccil eInvoice
> implementationn, which includes a SaaS validator)
>
> If everybody agrees with these approach, maybe these principles should
> be included in the presentation you prepared.
>
> Best regads
>
> Julian Inza Aldaz
> Presidente
> *Albalia Interactiva, S.L.*


-- 
* JAVEST by Roberto Cisternino
*
* Document Engineering Services Ltd. - Alliance Member
* UBL Italian Localization SubCommittee (ITLSC), co-Chair
* UBL Online Community editorial board member (ubl.xml.org)
* Italian UBL Advisor

  Roberto Cisternino

  mobile: +39 328 2148123
  skype:  roberto.cisternino.ubl-itlsc

[UBL Technical Committee]
    http://www.oasis-open.org/committees/ubl

[UBL Online Community]
    http://ubl.xml.org

[UBL International Conferences]
    http://www.ublconference.org

[UBL Italian Localization Subcommittee]
    http://www.oasis-open.org/committees/ubl-itlsc

[Iniziativa divulgativa UBL Italia]
    http://www.ubl-italia.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]