Re: [ubl] Re: Making references

["G. Ken Holman" <gkholman@CraneSoftwrights.com>]

At 2009-11-30 17:50 +0100, Oriol Bausą wrote:
>I can agree with all your points,  but the 
>strange think with your solution is that you 
>came out with a new structure to be maintained 
>in UBL, and for the very first time, we are 
>producing structure for an extension point.

Yes, though I was not the one to conceive of this 
... I was only asked to comment on the structures proposed to be used.

I think it makes sense to use the extension point 
for a few reasons:  (1) one scheme can be used 
for UBL 2.0 and UBL 2.x, (2) semantically the 
signature mechanism could be regarded as 
orthogonal to the business information of the 
instance (though I admit if we had worked this 
out earlier it would have made it into standard 
UBL 2.0), and (3) it becomes an exemplar for extensions for our user community.

>We are also creating two different signature 
>components: a common library UBL Signature component

That one already existed ... row 898 of the 2.0 common library.

>and another one that's used as a wrapper inside the extension point.

Yes, that one is new.

>The use of extension points to place the 
>signature was originally thought as a way to 
>incorporate digital signatures of another 
>namespace inside UBL documents without breaking schema compatibility.

Right.

>Extensions where the only place where we could 
>add other stuff than UBL so it was a nice 
>placeholder for this kind of information. All 
>the linkage (ID/IDREF, Xpointer) information is 
>suggested to enable the use of the UBL common library Signature component.

Agreed.

>The other question is whether the UBL Signature 
>component has sense or not. Personally, I think 
>that most information in UBL Signature component 
>is also covered in a standard ETSI Signature 
>(XAdES) so you wouldn't need that component at all.

Ahhhh, but I tried to document my reasons for 
creating the sig:Signature component:

   (1) - current referencing in UBL doesn't involve attributes, and
         ds:Signature uses an attribute
   (2) - the lexical space for cac:Signature/cbc:ID is not the same
         as the lexical space for ds:Signature/@id, and so it is
         possible users will create a cac:Signature/cbc:ID that would
         not be schema valid as a value for ds:Signature/@id
   (3) - while the top element of an extension is supposed to be in a
         non-UBL namespace, and indeed ds:Signature is in a non-UBL
         namespace, but the committee creating the extension is not
         in charge of ds:Signature and so doesn't have the opportunity
         to evolve the extension definition

And something came to mind this 
morning:  multiple signatures.  Do we need the following:

<ext:UBLExtension>
   <ext:ExtensionContent>
     <sig:Signatures 
xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2">
       <sig:Signature>
         <cbc:ID>*AnySignatureID1*</cbc:ID>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
                       xmlns:xades="http://uri.etsi.org/01903/v1.4.1#";>
           [...]
         </ds:Signature>
       </sig:Signature>
       <sig:Signature>
         <cbc:ID>*AnySignatureID2*</cbc:ID>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
                       xmlns:xades="http://uri.etsi.org/01903/v1.4.1#";>
           [...]
         </ds:Signature>
       </sig:Signature>
     </sig:Signatures>
   </ext:ExtensionContent>
</ext:UBLExtension>

... which would add a new reason:

    (4) - the cardinality of <ds:Signature> is 1 and UBL users need to be
          able to specify multiple signatures; yes, they could use multiple
          extensions, but is that really the right semantic?  Does it not
          make more sense to just have one extension for all signatures?

I think reasons (2) and (4) are very compelling.

>Then you would only require to place the 
>signature in an Extension and no requirements on 
>Signature placeholders for UBL (that's the case 
>BTW of the invoice, required in some 
>legislations in Europe but without the Signature 
>Component in the Invoice structure)

Sorry, I'm not sure what you mean by that ... we 
already have a requirement in cac:Signature that 
it have a mandatory identifier.  Please forgive my confusion.

>Another possible way of solving this would be to 
>have a Signature component with a "anyType" 
>structure inside to be used as a signature 
>placeholder, but getting rid of all the 
>components about signature (such as 
>Canonicalization Method or Signature Algorithm) and all the reference problems.
>
><cac:Signature>
><cac:SignatureAttachment>
><ds:Signature>
>...
></ds:Signature>
></cac:SignatureAttachment>
></cac:Signature>

Unfortunately not because the schema constraints 
for cac:Attachment do not provide for XML markup 
... it must be a base64-encoded item, and I think 
we want <ds:Signature> to be in clear text.  The 
way cac:Attachment works would require:

   <cac:Signature>
     <cac:DigitalSignatureAttachment>
       <cbc:EmbeddedDocumentBinaryObject>
         .....binary data in base64 format....
       </cbc:EmbeddedDocumentBinaryObject>
     </cac:DigitalSignatureAttachment>
   </cac:Signature>

.... and you can see that not only we would "lose 
sight" of the fact that it is <ds:Signature> but 
that processing applications looking for <ds:Signature> would not find it.

>I hope this helps!

I hope I've been able to present a reasoned aspect of this discussion!

. . . . . . . . . . Ken

p.s. does XML Sig allow me to move the namespace 
declarations up in the hierarchy as XML does?  As in:

<ext:UBLExtension>
   <ext:ExtensionContent>
     <sig:Signatures 
xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
                     xmlns:xades="http://uri.etsi.org/01903/v1.4.1#";>
       <sig:Signature>
         <cbc:ID>*AnySignatureID1*</cbc:ID>
         <ds:Signature>
           [...]
         </ds:Signature>
       </sig:Signature>
       <sig:Signature>
         <cbc:ID>*AnySignatureID2*</cbc:ID>
         <ds:Signature>
           [...]
         </ds:Signature>
       </sig:Signature>
     </sig:Signatures>
   </ext:ExtensionContent>
</ext:UBLExtension>


... or do signature processing applications need 
to see the namespace declarations on the <ds:Signature> element:

    xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
    xmlns:xades="http://uri.etsi.org/01903/v1.4.1#";

(from an XML perspective they shouldn't need to 
see it, but they may not be fully XML aware).


--
Vote for your XML training:   http://www.CraneSoftwrights.com/o/i/
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video
Video lesson:    http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18
Video overview:  http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Male Cancer Awareness Nov'07  http://www.CraneSoftwrights.com/o/bc
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal