OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ubl] MINUTES FROM EUROPE ASIA UBL WORKING SESSION WEDNESDAY6th JULY at 0800 UTC

CRAWFORD, Mark wrote:
>>Two approaches have been identified:
>>a. encapsulating the digital signature inside the document 
>>(the Crimson Logic approach) b. referencing the digital 
>>signature from the document and storing it externally (the 
>>DTTN and ebXML approach).
>>
>>Both have their strengths and weaknesses.
>>
>>Action Item: Peter will create a draft of how the Digital 
>>Signature could be referenced from a UBL document and pass to 
>>Thomas for his input.
> 
> 
> B allows a wider use of UBL for those who may prohibit the encapsulating
> of the digsig.  My understanding is that  the WS Security TC(s) in OASIS
> are taking this approach (encapsulating the digsig hash in the SOAP
> envelope rather that the individual document(s)).

Given:

|---part 1
   <soap:Envelope>
     <soap:Header>..</soap:Header>
     <soap:Body>...payload(business doc?)...</soap:Body>
   <soap:Envelope>
|---part 2..n
   Attachment..

WS Security TC places the signature in the header and the 'business 
document' in the payload, with possibility for attachments as mime 
parts. Now, you can decide what to sign, probably you want all of it 
hashed: the signature, the body and the attachments.

The important thing I think you missed is that the signature holds 
reference to the signed parts, and not the parts to the signature. In 
the WS Security case, the signature exists as long as the SOAP message 
exists, after that the references might not make much sense (though you 
could go complex and use your custom URI resolver that would point to 
the right parts even without the SOAP message).

In ebXML RegRep we use the WS Security approach now, with version 3.0. 
Before that we had the signature as an attachment - and 'non-standard' 
API to handle it. The trade off is that before we used to store the 
signature and the document, now we are happy with transport security only.

Regards,
Diego

-- 
Diego Ballve
Digital Artefacts Europe
http://www.digital-artefacts.fi/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]