OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss-x] DSS-X Visible Signatures Profile

Hi Nick,
> How would you see this relating to a possible profile for signing PDF
> documents?  
Well it includes solutions for signing PDFs as plain text and in their 
binary form.
> Would this be a sub-profile?
I'd suggest to work like in the core document or the AdES-Profile and 
establish principles and concepts upfront and use later sections for the 
different technicalities.

Hi Uri !

please see my comments inside,

Uri Resnitzky wrote:
> [...] Perhaps we need two different profiles to address these two approaches.
I strongly disagree, for a couple of reasons ...

* There is only one visual signatures profile on our charter.
* Visual XML Signatures are for us of paramount importance to a DSS-X 
Visual Signature Profile.
* Plain Text Signatures that are easily verifiable from a paper printout 
(e.g. of a PDF) are important in the DSS-X Visual Signature Profile.
* Binary PDF signatures should be supported as well

and most importantly

* Given the <SignatureType> input we have the ability to discriminate 
different signature types [ also your approach. ;-) ]
> My approach is to leverage existing digital signature specifications for popular document formats (such as PDF).
The approach for signing PDFs in their binary form in Austria is 
specified here (just in case you understand German):

I'll have to check if I can get a translation for this.

In case you don't speak German and are curious now you can get a hint 
what is in there and you could try an automatic translation service:

> The idea is that you would send such a document to the DSS server and ask it to sign it while inserting a visual signature in a specific place in the document.
The same holds true for the signatures specified in the document above.

> The result would be a document that can be opened, viewed *and verified* by any standard application for that document type (for example Adobe Reader).
Well I'd strongly doubt that many standard PDF application would support 
PDF signatures. Well Adobe does ... and some others. Btw, have you tried 
there to verify a document after the certificate was revoked or expired?
> In the Austrian approach, a PDF file cannot be signed visually while maintaining the ability to be verified by standard applications that adhere to the PDF spec for digital signatures.
Well complete certificate checks including proper certificate revocation 
checking is a nontrivial task and exactly one of the reasons why DSS 
moves such a burden from a client to a server.
Hence I'd advocate for making such a scenario not a general use-case for 
the DSS-X Visual Signature Profile.

> This is because the PDF standard defines that a signature must cover all the bytes in the document in the hash calculation, and that must also include the visual appearance. Therefore the appearance cannot contain the signature value itself.
Well, fortunately there are byteranges for PDFs ... (cf. section 4.3 of 
the link I posted, I fixed the translation of the relevant parts of 
Section 4.3.5 for you below)

4.3.5 /ByteRange
Static ranges are described by byte ranges. Byte ranges are in analogy 
to byte ranges in the Adobe pdf signatures defined (see pdf Reference 
1,6 - chapter 8.7 - „Digitally Signatures “):
In a binary signature all static ranges MUST be identified by means of 
The variable ranges between the byte of rank are called holes. These are 
at the signing time by place holders, after successful signing the 
appropriate values are
inserted, for example the SignatureValue, ....


> I am working on a draft document for a "visual document signatures" profile of DSS along the lines of my approach and hope to post it to the list before the next TC meeting.
Well, that is very kind of you, and I'd kindly like to ask you to take 
visual XML Signatures (that should in the spirit of the dss core be the 
default) and also Plain Text Signatures just as well as binary PDF 
signatures into account.

Also note that visual XML Signatures allow for more than just PDF ...
XML Signature + Stylesheet = (X)HTML
XML Signature + Stylesheet = PDF

kind regards


>> -----Original Message-----
>> From: Pope, Nick [mailto:Nick.Pope@thales-esecurity.com] 
>> Sent: Thursday, 26 July, 2007 13:09
>> To: Konrad Lanz; dss-x@lists.oasis-open.org; 
>> dss-x-comments@lists.oasis-open.org
>> Subject: RE: [dss-x] DSS-X Visible Signatures Profile
>> Konrad,
>> I look forward to reading this and working on this profile in DSS.
>> How would you see this relating to a possible profile for 
>> signing PDF documents?  Would this be a sub-profile?
>> Uri - what are your view on this?
>> Nick
>>> -----Original Message-----
>>> From: Konrad Lanz [mailto:Konrad.Lanz@labs.cio.gv.at]
>>> Sent: 23 July 2007 19:46
>>> To: dss-x@lists.oasis-open.org; dss-x-comments@lists.oasis-open.org
>>> Cc: Herbert Leitold; Peter Reichstädter
>>> Subject: [dss-x] DSS-X Visible Signatures Profile
>>> Importance: Low
>>> Dear fellow DSS-X Members,
>>> to get the work on a visible signatures profile for DSS-X 
>> started we 
>>> foresee the following work items and are happy to provide 
>> references 
>>> to material defining visible signatures in Austria.
>>> * Definition of Terms
>>>     -------------------
>>>     The English version of the Austrian E-Government Act can be a
>>>     rich source. [1][2][3]
>>> * What a visible signature should look like
>>>     -----------------------------------------
>>>     The Austrian e-Government Act [1] can also provide here a very
>>>     general and rich definition in principle requiring the following
>>>     for visible signatures:
>>>       - visible image mark (recognized logo) of the signatory
>>>       - name and role of signatory (optional)
>>>       - date / time
>>>       - identifier of legal act / process (optional)
>>>       - name and country of origin of the issuing CA
>>>       - serial number of the signatory's Certificate
>>>       - the signature value in BASE64 coding
>>>       - an appropriate attribute (non critical V3 extension) in
>>>         the  signature certificate.
>>>         In Austria's administration this means a registered OID
>>>         indicating that the organization is a public
>>>         administration.
>>>       - validity hint (optional)
>>> * Another important topic is the probative value of Printouts
>>>     -----------------------------------------------------------
>>>       - the electronic form including the signature can be exactly
>>>         reconstructed from the printout and can be verified from
>>>         the printout
>>> You can find an example of a visible PDF and XML Signature attached.
>>> [1] Federal Electronic Signature Law:
>>>       --------------------------------- 
>>> http://www.ris.bka.gv.at/erv/erv_1999_1_190.pdf
>>> [2] The Austrian E-Government Act:
>>>       ------------------------------
>>> http://www.ris.bka.gv.at/erv/erv_2004_1_10.pdf
>>> [3] Administration on the Net:
>>>       ------------------------------
>> http://www.cio.gv.at/egovernment/umbrella/Administration_on_the_Net.zi
>>> p
>>> cf. Page 134
>>> kind regards
>>> Konrad Lanz

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]