Re: AW: [dss-x] Groups - Signature Policy Profile of the OASIS DigitalSignature Services (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded

[Juan Carlos Cruellas <cruellas@ac.upc.edu>]

Hi Detlef,

Thank you for your email and sorry for not having reacted before.

I would agree with you in general.
I have one comment to your schema:

ORIGINAL: <element name="SignatureIdentifier" 
type="vr:SignatureIdentifierType" />


PROPOSAL: <element name="SignatureIdentifier" 
type="vr:SignatureIdentifierType" minOccurs="0"/>

If this is the case then I would establish the following rules:

0. General principle: if the signature itself has a Signature Policy 
Identifier (as in XAdES or CAdES) then the server verifies that 
signature with this policy.

1. If the verify request has includes an indication of a Signature 
Policy but not linked to any Signature (ie, only one IndividualPolicy 
but no SignatureIdentifier, then this is used by default for any 
signature without signature policy indication. But 0 applies for the 
rest of signatures.

2. If there is any pair of 
SignaturePolicyIdentifier-SignatureIdentifier, then the server uses the 
policy identified in the request. But if the signature itself has a 
signaturepolicy identifier different, then 0. applies again and the 
server notifies this fact to the client.

What do you think?

Regards

Juan Carlos.
Huehnlein, Detlef escribió:
> Hallo Juan Carlos,
> 
> it seems to me that for "typical use cases" it might 
> be sufficient to have a single policy for multiple signatures
> related to a document and hence the simple option below might
> be sufficient. Do you have a specific use case in mind, where 
> multiple signatures need to be verified with different policies?
> 
> On the other side it would be easy to allow the combination of 
> both options:
> 
> <element name="VerifyUnderSignaturePolicy" type="VerifyUnderSignaturePolicyType"/>
> <complexType name="VerifyUnderSignaturePolicyType">		
> 	<sequence>
> 		<element name="DefaultPolicy" type="SignaturePolicyDetailsType" minOccurs="0"/>
> 		<sequence maxOccurs="unbounded" minOccurs="0">
> 			<element name="SignatureIdentifier" type="vr:SignatureIdentifierType" />
> 		  	<element name="IndividualPolicy" type="SignaturePolicyDetailsType" />
>             </sequence>
> 	</sequence>
> </complexType>
> 
> 
> In this case it would be possible to specify a default-policy, which will be applied,
> iff no other policy-indication (within the signature, or in the element above) 
> "overrules" this default. 
> 
> 
> BR,
>  Detlef
> 
>> -----Ursprüngliche Nachricht-----
>> Von: cruellas@ac.upc.edu [mailto:cruellas@ac.upc.edu] 
>> Gesendet: Freitag, 25. April 2008 17:45
>> An: dss-x@lists.oasis-open.org
>> Betreff: [dss-x] Groups - Signature Policy Profile of the 
>> OASIS Digital Signature Services 
>> (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded
>>
>> Dear all,
>>
>> I have uploaded an initial and uncomplete version of the 
>> signature policy profile for DSS protocol.
>>
>> It is uncomplete because the part profiling the verification 
>> protocol is missing. This is due to the fact that I am still 
>> thinking how to manage the situations when the 
>> <dss:VerifyRequest> contains more than one signature.
>>
>>
>> If there is only one signature, the thing is easy, the client 
>> sends an identifier of the policy that the server must 
>> use....but if there are several...
>>
>> Some very initial thoughts:
>>
>> 1. The simplest option: pass to the server one policy 
>> identifier  and if there is more than one signature, then the 
>> server use this policy (or makes whatever it wants and then 
>> let the client know?)
>>
>> 2. Pass a list of pairs (Signature policy  signature to be verified). 
>> 	Con: requires identify all the signatures and build 
>> references to each signature. 
>> 	Pro: specifies what signature policy must be used for 
>> each signature.
>>
>> 3. In addition to all this, if there are several signatures 
>> this is strongly related with the multisignature verification 
>> profile...although I do not see problems in this.
>>
>> Regards
>>
>> Juan Carlos.
>>
>>
>>  -- Juan Cruellas
>>
>> The document named Signature Policy Profile of the OASIS 
>> Digital Signature Services  
>> (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) has been submitted 
>> by Juan Cruellas to the OASIS Digital Signature Services 
>> eXtended (DSS-X) TC document repository.
>>
>> Document Description:
>> Profile for instructing servers to use a certain signature 
>> policy when generating or verifying an electronic signature 
>>
>> View Document Details:
>> http://www.oasis-open.org/apps/org/workgroup/dss-x/document.ph
> p?document_id=28097
>> Download Document:  
>> http://www.oasis-open.org/apps/org/workgroup/dss-x/download.ph
> p/28097/oasis-dssx-1.0-profiles-sigpolicy-wd.doc
>>
>> PLEASE NOTE:  If the above links do not work for you, your 
>> email application may be breaking the link into two pieces.  
>> You may be able to copy and paste the entire link address 
>> into the address field of your web browser.
>>
>> -OASIS Open Administration
>>