dss-x message

Subject: Re: [dss-x] FW: [dss-dev] ds:Reference @URI attribute

From: Stefan Drees <stefan@drees.name>
To: "Pope, Nick" <Nick.Pope@thales-esecurity.com>
Date: Thu, 06 Sep 2007 17:47:38 +0200

Pope, Nick wrote:
> Any thoughts on this question from Pim?
> Nick

sorry, not yet from me.

I for now analysed the errata from the comments all as applicable and
noted this in uploaded version 0.2 in my issue tracking document (sorry
for the multitude of notification messages, I forgot to uncheck the
relevant box).

Now I will try on this "Issue or Clarification"-Comment from Pim.

If I understand correctly, this starts as a XML DSIG question 
(URI-attribute of the <ds:Signature> element included from XML DSIG).

At a first glance, it appears to me like grouped chinese boxes with 
typing problems blocking linking in one special case.

Going from bottom to top: In a <SignResponse> there is an attribute 
RequestID, which is mandatory, if included in a request (<SignRequest>). 
The <InputDocuments> element is required in a <SignRequest> and we 
state, that "the" signature is calculated over "the input documents", so 
one signature over all input documents in one sign request, so one id 
per request per signature.

Could the <SignaturePtr> element of the <SignatureObject> be of help? 
With this one we can link signatures to documents or transformed 
documents, can't we?

I hope this qualifies as "any thoughts" and as a first shot at a resolution.

All the best,
Stefan.

> -----Original Message-----
> From: Pim van der Eijk [mailto:lists@sonnenglanz.net] 
> Sent: 29 August 2007 08:43
> To: dss-dev@lists.oasis-open.org
> Subject: [dss-dev] ds:Reference @URI attribute
> 
> 
> Hello,
> 
> In a ds:Signature, enveloped in a dss:SignatureObject in a dss:SignResponse,
> can or should the URI attribute be present?  If yes, what should be its
> value?  
> 
> According to http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-URI, I
> would assume the attribute could be omitted as "the receiving application is
> expected to know the identity of the object", via the link between the
> SignResponse document to its corresponding SignRequest document.  Is that
> correct?
> 
> If there are multiple dss:Document elements in a dss:InputDocuments
> structure, how does one correlate a ds:Signature element in a
> dss:SignResponse to the corresponding dss:Document in the dss:SignRequest?
> 
> My first idea was to use the value of the ID attribute on the dss:Document
> in dss:InputDocuments. However, ID is an XML ID type attribute, and the URI
> attribute has type anyURI. The ID attribute will not be in the
> dss:SignResponse when the document to be signed is included in the
> SignRequest but not in the SignResponse (which happens when not using the
> DocumentWithSignature output element). 
> 
> Pim
 > ...

References:
- FW: [dss-dev] ds:Reference @URI attribute
  - From: "Pope, Nick" <Nick.Pope@thales-esecurity.com>