[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: AW: AW: [dss-x] Groups - Signature Policy Profile of the OASIS Digital Signature Services (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded
Hello Juan Carlos, I have two remarks regarding the proposal: 1 - I think also that we should choose the simpler solution and have a single policy to be applied on all relevant signatures and also avoid the complexity of defining for each signature its relevant signature policy. 2 - Regarding the retrieval of available policies from the server, I think this operation should be part of a general server capabilities retrieval operation and not necessarily the signature or verification operations. I think it may be relevant to other profiles as well. Regards, Ezer -----Original Message----- From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu] Sent: Friday, May 09, 2008 7:20 PM To: Huehnlein, Detlef Cc: dss-x@lists.oasis-open.org Subject: Re: AW: AW: [dss-x] Groups - Signature Policy Profile of the OASIS Digital Signature Services (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded I agree, thanks Detlef Regards Juan Carlos. Huehnlein, Detlef escribió: > Hallo Juan Carlos, > > your proposal looks fine. > Nevertheless we would need to define > what happens, if there are multiple indications > of a signature policy without signature pointer. > In this case it might be appropriate to return > some warning, that the second indication was ignored etc. > > BR, > dh > >> -----Ursprüngliche Nachricht----- >> Von: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu] >> Gesendet: Freitag, 9. Mai 2008 17:19 >> An: Huehnlein, Detlef >> Cc: dss-x@lists.oasis-open.org >> Betreff: Re: AW: [dss-x] Groups - Signature Policy Profile of >> the OASIS Digital Signature Services >> (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded >> >> Hi Detlef, >> >> Thank you for your email and sorry for not having reacted before. >> >> I would agree with you in general. >> I have one comment to your schema: >> >> ORIGINAL: <element name="SignatureIdentifier" >> type="vr:SignatureIdentifierType" /> >> >> >> PROPOSAL: <element name="SignatureIdentifier" >> type="vr:SignatureIdentifierType" minOccurs="0"/> >> >> If this is the case then I would establish the following rules: >> >> 0. General principle: if the signature itself has a Signature >> Policy Identifier (as in XAdES or CAdES) then the server >> verifies that signature with this policy. >> >> 1. If the verify request has includes an indication of a >> Signature Policy but not linked to any Signature (ie, only >> one IndividualPolicy but no SignatureIdentifier, then this is >> used by default for any signature without signature policy >> indication. But 0 applies for the rest of signatures. >> >> 2. If there is any pair of >> SignaturePolicyIdentifier-SignatureIdentifier, then the >> server uses the policy identified in the request. But if the >> signature itself has a signaturepolicy identifier different, >> then 0. applies again and the server notifies this fact to the client. >> >> What do you think? >> >> Regards >> >> Juan Carlos. >> Huehnlein, Detlef escribió: >>> Hallo Juan Carlos, >>> >>> it seems to me that for "typical use cases" it might be >> sufficient to >>> have a single policy for multiple signatures related to a >> document and >>> hence the simple option below might be sufficient. Do you have a >>> specific use case in mind, where multiple signatures need to be >>> verified with different policies? >>> >>> On the other side it would be easy to allow the combination of both >>> options: >>> >>> <element name="VerifyUnderSignaturePolicy" >> type="VerifyUnderSignaturePolicyType"/> >>> <complexType name="VerifyUnderSignaturePolicyType"> >>> <sequence> >>> <element name="DefaultPolicy" >> type="SignaturePolicyDetailsType" minOccurs="0"/> >>> <sequence maxOccurs="unbounded" minOccurs="0"> >>> <element name="SignatureIdentifier" >> type="vr:SignatureIdentifierType" /> >>> <element name="IndividualPolicy" >> type="SignaturePolicyDetailsType" /> >>> </sequence> >>> </sequence> >>> </complexType> >>> >>> >>> In this case it would be possible to specify a >> default-policy, which >>> will be applied, iff no other policy-indication (within the >> signature, >>> or in the element above) "overrules" this default. >>> >>> >>> BR, >>> Detlef >>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: cruellas@ac.upc.edu [mailto:cruellas@ac.upc.edu] >>>> Gesendet: Freitag, 25. April 2008 17:45 >>>> An: dss-x@lists.oasis-open.org >>>> Betreff: [dss-x] Groups - Signature Policy Profile of the OASIS >>>> Digital Signature Services >>>> (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) uploaded >>>> >>>> Dear all, >>>> >>>> I have uploaded an initial and uncomplete version of the signature >>>> policy profile for DSS protocol. >>>> >>>> It is uncomplete because the part profiling the >> verification protocol >>>> is missing. This is due to the fact that I am still >> thinking how to >>>> manage the situations when the <dss:VerifyRequest> >> contains more than >>>> one signature. >>>> >>>> >>>> If there is only one signature, the thing is easy, the >> client sends >>>> an identifier of the policy that the server must >> use....but if there >>>> are several... >>>> >>>> Some very initial thoughts: >>>> >>>> 1. The simplest option: pass to the server one policy >> identifier and >>>> if there is more than one signature, then the server use >> this policy >>>> (or makes whatever it wants and then let the client know?) >>>> >>>> 2. Pass a list of pairs (Signature policy signature to be >> verified). >>>> Con: requires identify all the signatures and build >> references to >>>> each signature. >>>> Pro: specifies what signature policy must be used for each >>>> signature. >>>> >>>> 3. In addition to all this, if there are several >> signatures this is >>>> strongly related with the multisignature verification >>>> profile...although I do not see problems in this. >>>> >>>> Regards >>>> >>>> Juan Carlos. >>>> >>>> >>>> -- Juan Cruellas >>>> >>>> The document named Signature Policy Profile of the OASIS Digital >>>> Signature Services >>>> (oasis-dssx-1.0-profiles-sigpolicy-wd.doc) has been >> submitted by Juan >>>> Cruellas to the OASIS Digital Signature Services eXtended >> (DSS-X) TC >>>> document repository. >>>> >>>> Document Description: >>>> Profile for instructing servers to use a certain signature policy >>>> when generating or verifying an electronic signature >>>> >>>> View Document Details: >>>> http://www.oasis-open.org/apps/org/workgroup/dss-x/document.ph >>> p?document_id=28097 >>>> Download Document: >>>> http://www.oasis-open.org/apps/org/workgroup/dss-x/download.ph >>> p/28097/oasis-dssx-1.0-profiles-sigpolicy-wd.doc >>>> PLEASE NOTE: If the above links do not work for you, your email >>>> application may be breaking the link into two pieces. >>>> You may be able to copy and paste the entire link address into the >>>> address field of your web browser. >>>> >>>> -OASIS Open Administration >>>> >> --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]