OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Public Comment

Comment from: inma@dif.um.es

Name: Inma Marín
Title: IT Consultant
Organization: University of Murcia
Regarding Specification: DSS Core Committee Draft 4 (DSS Core Elements)

I would like to point out two aspects:

1. Regarding optional input <AddTimestamp>, in section "Processing form XML signatures time-stamping" it is said that "... the timestamp token created by the server shall be a <ds:Signature>". However, most of the TSAs create RFC3161 timestamp tokens, so I think it is recommended to take it into account and allow to embed a RFC3161 timestamp token into a XML Signature.

2. As far as verification of enveloping CMS signatures is concerned, section 4.5 says: "2. [...]if the CMS signature is enveloping, it contains its own input data and there MUST NOT be any input documents presents". On the contrary, there are situations where we need to supply the original signed document in order to check if the signed document (included in the CMS signature) matches the document which was intended to be signed (original document). If it is not possible to include the original document as an input document in the VerifyRequest, maybe the service should return (in the VerifyResponse) the signed document within the cms signature, so the client can accomplish the matching (signed document against original document) by himself.  

I would like to know your expert opinion about this topics.

Thank you very much in advance.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]