OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [DSS-X] comments to profile on individual reporting multi-signatureverification

Hallo Juan Carlos, 

your requirements below seem to point to a similar
direction as the attached draft of a VerificationReport-structure. 

This structure aims at providing (if requested by specifying a sufficiently
high detail-level) a comprehensive verification report 
for arbitrary signed objects (such as advanced electronic signatures
and related structures (incl. time stamps, (attribute) certificates 
and revocation information - possibly by expanding the binary structures
to a human readable form). Such a comprehensive verification report is 
(in some Europen countries) required to be generated and archived for 
electronic invoices. 

> I have uploaded a document that we worked some time ago and 
> that could serve to launch discussions on an abstract profile 
> that could support individual reporting multi-signature verification.
> Some of the initial requirements that such a profile should meet are:
> 1. A new optional input in the <dss:VerificationRequest> 
> requesting that if hte server finds more than one signature, 
> it reports verification individually for each one.

This could even be a default behaviour. Within the VerificationReport-structure,
there is a general part (related to the request) and multiple (0..*) specific
parts (related to the signed objects). 

> 2. For <dss:VerificationResult> there will be two types of results: 
> global and individual.


> 3. For <dss:VerificationResult> global Major results should 
> globaly indicate whether there has been or not success.
>    In the latter case, the client must look at the individual reports.

It would be possible to specify a kind of detail-level, such that
the lowest level would provide the same information as the current 
verification in DSS. However the highest detail-level will provide a comprehensive
verification report, which contains all information, which is gathered
during the verification process. While this - e.g. in case of an advanced 
electronic signature - might become a fairly complex structure, such a report
is required in some scenarios (e.g. eInvoicing). 

> 4. For <dss:VerificationResult> global Minor results have 
> also been re-adjusted
I don't think that we would need to change any Major or Minor results.
The VerificationReport structure could just be handed back in OptionalOutputs.

> 5. For <dss:VerificationResult> a new optional output element 
> satisfying the following
> requirements:

Please have a look at the structures defined in the draft of the 
VerificationReport.xsd attached. 

>   5.1 Each one of these elements will report details on how 
> verification of one
>   signature has gone.

If one aims at supporting advanced electronic signatures, which
may contain time stamps, (attribute) certificates and related 
revocation information (OCSP or CRL), it would be a natural extension 
(with only modest changes) to allow the verification of these structures 
as well.

>   5.2 This element will include result major and minor for 
> each signature.
>   5.3 This element will contain mechanisms for identifying 
> the signature verified
>   (and this is something on what I would like to get more 
> ideas....you will see that
>    I propose something but I would say that there might be 
> other ways to do that).

This element will contain some Identifier for the signed object.
In case of a signature, this might be something similar to the

>   5.4 This element may incorporate any optional output giving 
> details on a verified signature
>   that have been defined in the DSSCore

Yes. It seems to me that covering (CMS or XML) advanced electronic signatures
would imply that everything (maybe apart from PGP-signatures?) is 

>   5.5 Should allow the inclusion of further details on the 
> verification process.

In fact it could make sense to define a kind of detail-level, such 
that one is able to control how detailled the verification report will 

Please let me know what you think about the draft of the attached

Best regards,

Dipl. Inform. (FH)
Dr. rer. nat. Detlef Hühnlein
secunet Security Networks AG
Sudetenstraße 16
96247 Michelau
Telefon +49 9571 896479
Mobil   +49 171  9754980


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]