[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ubl-security] Questions regarding the XAdES Profile
> > No full agreement is reached as Oriol reported some concern on the scaffolding structure: > http://lists.oasis-open.org/archives/ubl-security/201008/msg00031.html > > I summarize very quickly what is the solution we are discussing: > > 1) all UBL documents will have a document-wise cac:Signature (optional) element and the general scaffolding structure inside the UBL extension is: > <sig:SignatureInformation> > <sig:SignatureGroup> > <ds:signature>…</ds:signature> (one or more) > </sig:SignatureGroup> > </sig:SignatureInformation> > Why do you need SignatureGroup inside SignatureInformation? Is it not enough with sig:SignatureInformation as a container for all signatures? > 2) only for documents where more than a single cac:Signature for different purposes can be present (at present just COO) the scaffolding can include an ID to reference to the relevant UBL document part that the signature refers to: > <sig:SignatureInformation> > <sig:SignatureGroup> (one, if needed) > <ds:signature>…</ds:signature> (one or more) > </sig:SignatureGroup> > <sig:IdentifiedSignatureGroup> (one or more, if needed) > <cbc:ID></cbc:ID> > <sig:SignatureGroup> > <ds:Signature> … </ds:Signature> (one or more) > </sig:SignatureGroup> > </sig:IdentifiedSignatureGroup> > </sig:SignatureInformation> > why we cannot simply use the identifier attribute from the ds:Signature element as such signature identifier? > Every signature apply to the whole UBL document including its extensions and excluding the content of any sig:SignatureGroup present to allow to add and remove signatures (and counter-signatres) at any point in time without breaking other signatures. > The main reason for adding this scaffolding is that electronic signature software does not know anything about UBL syntax and adding a simple external structure, common to all UBL documents, greatly simplify the effort required for the integration. Another key issue is to minimize the effort to prepare a message for signatures (that's the reason to allow to not use the cac:Signature element) and allow to add and remove signatures at any time, to accomodate workflow management. > > In case 2) I think we need to agree also on the way cac:ID is used, it has not stated and decided yet. > I propose the <cbc:ID></cbc:ID> can reference to whatever <cbc:ID></cbc:ID> present in the UBL document and the sig:SignatureGroup bound to this cbc:ID is associated with the UBL document section identified by the same cbc:ID. As all signatures applies to the whole document, this is just a logical association, meant to establish the purpose of the signature. > Standard XAdES mechanisms such as the signature policy and/or the signer role can be used for any legal issue to be dealt with. Also in this situation any cac:Signature is optional. > > I'm asking to all in this SC to please express his position by this week in order to start editing work next week, if an agreement is reached. > > Andrea > > > Il giorno 23/ago/2010, alle ore 16.39, Jon Bosak ha scritto: > >> Hello Security SC, >> >> To include the proposed XAdES Profile in UBL 2.1 PRD1, I need >> answers to the following questions: >> >> 1. Is the Subcommittee in agreement with the mechanism advanced by >> Ken Holman in his message of 20 August? >> >> http://lists.oasis-open.org/archives/ubl-security/201008/msg00035.html >> >> 2. Will adoption of this mechanism require changes to the Profile >> draft? The latest version of this document appears to be >> UBL-XAdES-Profile 1.0-RC2.doc of 26 May 2010: >> >> http://lists.oasis-open.org/archives/ubl-security/201005/msg00015.html >> >> Jon >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]