ACTION REQUIRED: Draft 07 of UBL security profiles

[Jon Bosak <bosak@pinax.com>]

Members of the UBL Security Subcommittee:

I'm sure that we are all grateful to Ken Holman for the immense
amount of work that he has invested in the materials referred to
below.  But please be aware that you as a committee must review
and agree to his work before the TC will feel comfortable in
adopting it.

PLEASE review and, if possible, test the proposed revisions to the
extension and digital signature mechanisms at your earliest
opportunity and report your findings on this list.  The TC will
begin the process of assembling the UBL 2.1 PRD2 at the end of
November, and it is important to be able to include the revised
mechanisms in that release.

Best regards,

Jon Bosak
Chair, UBL TC

G. Ken Holman wrote:
> Fellow UBL Security SC members,
> 
> Please find (described below) at:
> 
>    http://www.oasis-open.org/committees/document.php?document_id=40254
> 
> [1] proposed PRD2 changes related to security (schemas, example 
> instances, prose for the annexes) and [2] draft 07 of the UBL security 
> profiles (a rewrite of UBL-XAdES-Profile 1.0-RC2.doc released earlier).
> 
> I have released the drafts in the same ZIP file because the two are 
> related.
> 
> The directories in the ZIP have these files:
> 
>  \    - revised sample instances for PRD2 (now with bona fide and
>         verifiable signatures)
>  \profiledoc - proposed UBL security profiles rewrite (HTML and PDF)
>  \ubl21doc - proposed UBL 2.1 PRD2 annex rewrite (skeletal HTML and XML)
>  \xsd - proposed UBL 2.1 PRD2 extension schema changes (with PRD1
>         business objects)
> 
> Jon, I tried to hack the UBL 2.1 PRD2 annex XML in such a way that you 
> can replace it directly in your edited content.  Also, I've summarized 
> below the changes since we will have to document the differences between 
> PRD1 and PRD2.  I hope I didn't miss anything.
> 
> Also, Jon, regarding the schemas and instances, this is *not* the 
> package of SGTG replacement directories for PRD2.  Only enough for the 
> Security SC to work with the example signed UBL documents.  The SGTG 
> replacement directory package will come later and I'll post it to the 
> main list.
> 
> Please let me know if anyone has any questions.  I look forward to your 
> critical feedback.  I think everything we need is in there, but I could 
> have easily overlooked something ... I've been staring at this stuff for 
> days.
> 
> Thanks!
> 
> . . . . . . . . . . Ken
> 
> [1] Changes in UBL 2.1 annexes for PRD2:
> - prose changes describing new extension methodology of simply importing 
> extension fragments (I've embedded Jon's name in some places where the 
> changes are not obvious; I've edited the DocBook markup so it *should* 
> be possible to simply replace the existing markup with this contributed 
> markup as a starting point to the next round of edits)
> - de-emphasis of XAdES in line with de-emphasis of it in the Profiles 
> document (since XAdES is embedded *inside* of XMLDSig, our extension is 
> now solely an XMLDSig extension that users can use any way the feel, 
> including XAdES and others)
> - revised the URI strings based on changes in the Profiles document
> - revised the XML fragment example based on changes in the Profiles 
> document
> - added the distinction between co-signatures and countersignatures in 
> an informative note (doesn't impact on validation or conformance)
> - cited the mechanism in XAdES of embedding information in an XMLDSig in 
> an informative note (doesn't impact on validation or conformance)
> - updated the informative reference to 2009-06 version of XAdES
> - absent from this document is any reference to the "detached profile"; 
> should one be added?  I think not since the reference to the signature 
> profiles document is in the context of the extension fragment which is 
> used only in the enveloped profile
> - absent from this document is any reference to the conformance section 
> of the Profiles document; should one be added?
> - the example file xml/UBL-Invoice-2.0-Signed.xml is removed as it's 
> pro-forma embedded signature was not bona fide and verifiable
> - the following example files are added (the signatures are created 
> using a real certificate for a dummy "Demo UBL" persona using the UBL TC 
> comment email address; the free software at 
> http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig was used 
> to create these files):
>     xml/UBL-Invoice-2.0-Enveloped.xml
>          - a sample UBL invoice with a bona fide verifiable embedded 
> signature
>     xml/UBL-Invoice-2.0-Detached.xml
>          - a sample UBL invoice referencing an external detached signature
>     xml/UBL-Invoice-2.0-Detached-Signature.xml
>          - the bona fide verifiable detached signature for the sample
> - there are no references to detached signatures as there are in the 
> profiles document ... should this change?
> 
> 
> [2] Changes in UBL Digital Signature Profiles 1.0:
> - change of the document title
> - change of URI strings from "http:" protocol to "urn:" protocol
> - change of the profiles being XAdES-specific to being XMLDSig-specific 
> since all of XAdES is embedded inside of XMLDSig (and there may be 
> non-XAdES users of XMLDSig who can now use these profiles)
> - major rewrite of text needs a thorough review by UBL Security SC 
> members; while I did try and copy major blocks of content, most are 
> tweaked in line with terminology used in UBL
> - change conformance clauses to how to conform to the profiles (not how 
> the profiles conform to other specifications, which is not the intent of 
> the section)
> - used official OASIS DocBook structure in XML (not Word)
> - distinguished normative references from informative references and put 
> informative references into notes
> - used some of the UBL 2.1 annex verbatim so as to ensure consistency 
> (no need to say things differently) ... any changes, then, to the 
> profiles document should also be made in the UBL 2.1 document
> 
> 
> -- 
> Contact us for world-wide XML consulting & instructor-led training
> Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
> G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
> Legal business disclaimers:  http://www.CraneSoftwrights.com/legal
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>