OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [spam] Re: [ubl-security] Questions regarding the XAdES Profile

At 2010-08-26 16:49 -0400, Jon Bosak wrote:
>Sorry if this is something that should be obvious to me, but I'm
>not understanding the need for multiple signatures on UBL
>CertificateOfOrigin.

This sample from Roberto illustrates the multiple signatures on the one form:

   http://www.export911.com/e911/export/docFormA.htm#docFormA

>I thought our document was just the
>*application* for a COO.  Did I get that wrong?

Ah, that I don't know from the work done two years ago.  But looking 
today at the definitions of the document-level ABIE children, I see:

   A document that describes the Certificate of Origin.
   Unique Identifier of the Certificate Of Origin.
   Date on which the Certificate Of Origin was issued.
   Time at which the Certificate Of Origin was issued.
   etc.

The ASBIE child named CertificateOfOriginApplication appears to be 
describing the application that created the UBL CertificateOfOrigin 
instance ... I don't think that makes the CoO document itself the 
application ... it is just a record of the application details that 
were the genesis of the UBL document.

The signature business objects in CoO are as follows:

   cac:CertificateOfOriginApplication/cac:Signature
   cac:IssuerEndorsement/cac:Signature
   cac:EmbassyEndorsement/cac:Signature
   cac:InsuranceEndorsement/cac:Signature

Roberto, which of the above signatures would correspond to the "Form 
A" signatures in the example cited above from the page you gave us 
today?  Should we identify for the PRD1 feedback that there are 
missing signatures needed for CoO to be added for PRD2 based on this example?

BTW, I just found that the signature business object is in 
cac:Certificate which is used in cac:Item which is used in exactly 50 
of our 60 documents.  So it isn't *only* the CoO which has the 
multiple signature group situation:  we'll need a separate signature 
group in the extension for every item certificate.  And they'll need 
to be able to be signed in an arbitrary order, which forces my hand 
regarding the digital signature transform expression.

At least that is how I read it.

. . . . . . . . . . . Ken

--
G. Ken Holman
OASIS Individual Member
Crane Softwrights Ltd.
http://www.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]