ubl-security message

Subject: Re: [ubl-security] Comments regarding the UBL signature mechanism from the Spanish Ministry of Finance
From: Andrea Caccia <andrea.caccia@studiocaccia.com>
To: Jon Bosak <bosak@pinax.com>
Date: Sun, 19 Sep 2010 12:48:24 +0200
Hi Jon,
thanks for forwarding us these comments.
Here is my view on the mentioned issues:
- Use of cac:Signature is not mandated. Even if I can agree that in many contexts it is of no use (and can be avoided) I do not exclude it can be useful and IMO we have to preserve it as it is already part of UBL 2.0. In cases where an UBL document can have more than a single signature for different purposes it can be helpful to associate correctly each (set of) signatures to the document.
- The structure in the extension, with the price of a very little overhead, can accommodate use cases where more than a (set of) signatures is associated to a document for different purposes. There was a long discussion on the Certificate of Origin and the proposed solution has be designed to satisfy the additional requirements that arose.

Any other/different view in this SC?

Andrea


Il giorno 18/set/2010, alle ore 18.45, Jon Bosak ha scritto:

> Hello UBL Security SC,
> 
> Below are some signature-related issues from the Spanish Ministry
> of Finance, forwarded in translation by Oriol.  Please attend to
> these at your earliest opportunity so that changes (if any) are
> ready for implementation as soon as the initial UBL 2.1 review
> period ends.
> 
> It is unfortunate that users like the Ministry of Finance persist
> in basing implementations on discussion drafts, but this should
> not influence your effort to develop the best possible support for
> XAdES in UBL documents.  Please consider this as user input and
> make such changes as you consider appropriate within the context
> of providing a generally applicable solution.
> 
> Jon
> 
> ##################################################################
> 
> Translation:
> 
> Regarding the signature proposed in UBL 2.1, we have developed an
> implementation as proposed in the document "Andrea Caccia, Roberto
> Cisternino, Oriol Peris Baus, Julián Inza, UBL Electronic
> Signature Profile Version 1.0, OASIS Committee Draft 06-25 May
> 2010 "that does not match the diagrams published in UBL version
> 2.1.
> 
> We do not consider it necessary to include a reference from the
> electronic signature included in the component UBLExtensions cac:
> Signature, since according to the information contained in the
> document, cac: Signature does not contain information of interest,
> so that the reference is useless.
> 
> <cac:Signature>
> <cbc:ID>UBLDSIG</cbc:ID>
> [...]
> <cbc:SignatureMethod>
>      http://docs.oasis-open.org/ubl/securitysc/cd-dsigp-1/xades-enveloped
> </cbc:SignatureMethod>
> <cac:SignatoryParty>
> <cac:PartyIdentification>
>      <cbc:ID>SignatureDefined</cbc:ID>
> </cac:PartyIdentification>
> </cac:SignatoryParty>
> [...]
> </cac:Signature>
> 
> If the item cac: Signature contains information concerning the
> undersigned, this would be redundant with information in the
> XML-dsig own signature, so it would not be necessary to include a
> reference.
> 
> For this reason, we think it is no necessary to include a higher
> level in the UBL structure of extension <SignatureInformation> ,
> so with the element should be as follows:
> 
> <ext:UBLExtensions
> xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2">
>       [...]
> <ext:UBLExtension>
> <cbc:ID>0000000001001</cbc:ID>
> <ext:ExtensionURI>http://docs.oasis-open.org/ubl/securitysc/cd-dsigp-1/xmldsig-enveloped
> </ext:ExtensionURI>
> <ext:ExtensionContent
> xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2">
> <odsig:document-signatures
> xmlns:odsig="urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="signature-f1a5-9b1d-972b-d591">
>                           [...]
>                           </ds:Signature>
> </odsig:document-signatures>
> </ext:ExtensionContent>
> </ext:UBLExtension>
> [...]
> </ext:UBLExtensions>
> 
> ==================================================================
> 
> Original:
> 
> En cuanto a la firma que se propone en UBL 2.1, nosotros hemos
> desarrollado una implementación siguiendo la propuesta del
> documento “Andrea Caccia, Roberto Cisternino, Oriol Bausà
> Peris, Julián Inza, /UBL Electronic Signature Profile Version
> 1.0/, OASIS Committee Draft 06 - 25 May 2010” que no coincide
> con los esquemas publicados en la versión UBL 2.1.
> 
> No consideramos necesario incluir una referencia desde la firma
> electrónica incluida en el UBLExtensions al componente
> cac:Signature, ya que según la información contenida en el
> documento el cac:Signature no contiene información de interés, por
> lo que la referencia es inútil:
> 
> <cac:Signature>
> <cbc:ID>UBLDSIG</cbc:ID>
> [...]
> <cbc:SignatureMethod>
>      http://docs.oasis-open.org/ubl/securitysc/cd-dsigp-1/xades-enveloped
> </cbc:SignatureMethod>
> <cac:SignatoryParty>
> <cac:PartyIdentification>
>      <cbc:ID>SignatureDefined</cbc:ID>
> </cac:PartyIdentification>
> </cac:SignatoryParty>
> [...]
> </cac:Signature>
> 
> 
> En caso de que el elemento cac:Signature contuviera información
> relativa al firmante, esta sería redundante con la propia
> información que aparece en la propia firma XML-Dsig, por lo que
> tampoco sería necesario incluir una referencia.
> 
> Por este motivo, vemos innecesario incluir un nivel más en la
> estructura de la extensión UBL con el elemento
> <SignatureInformation> quedando la estructura de la firma como
> sigue:
> 
> <ext:UBLExtensions
> xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2">
>       [...]
> <ext:UBLExtension>
> <cbc:ID>0000000001001</cbc:ID>
> <ext:ExtensionURI>http://docs.oasis-open.org/ubl/securitysc/cd-dsigp-1/xmldsig-enveloped
> </ext:ExtensionURI>
> <ext:ExtensionContent
> xmlns:ext="urn:oasis:names:specification:ubl:schema:xsd:CommonExtensionComponents-2">
> <odsig:document-signatures
> xmlns:odsig="urn:oasis:names:tc:opendocument:xmlns:digitalsignature:1.0">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="signature-f1a5-9b1d-972b-d591">
>                           [...]
>                           </ds:Signature>
> </odsig:document-signatures>
> </ext:ExtensionContent>
> </ext:UBLExtension>
> [...]
> </ext:UBLExtensions>
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
Follow-Ups:
- Re: [ubl-security] Comments regarding the UBL signature mechanism from the Spanish Ministry of Finance
  - From: "G. Ken Holman" <gkholman@CraneSoftwrights.com>
References:
- Comments regarding the UBL signature mechanism from the Spanish Ministryof Finance
  - From: Jon Bosak <bosak@pinax.com>