[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DSSX: comments to J2SE code signing wd profile
Andreas, Below follow some initial comments on the profile for J2SE code signing profile. 1. Section 1.4 Overview, Line 178: Jar Fie Specification: should it be "Jar File Specification"? 2. Section 3.1.1 Element <dss:OptionalInputs> "The following optional inputs defined in the [DSS Core] will not be understood by a server implementing this profile:" the term "will not be understood" seems somehow ambiguous. Is it the purpose to say that "servers implementing this profile will not process any of the following optional inputs if present"?. 3.Section 220.127.116.11 Lines 217 - 220. Should not the server return urn:oasis:names:tc:dss:1.0:resultminor:NotSupported (The server was not able to parse a Document.) if the document is of a different type than <dss:Base64>? 4. Section 3.1.3 Element <OptionalInputs> Lines 232 - 242 Algorithm identifiers: Should it not be enough to make use of URI identifiers for algorithms already defined by W3C and even in some RFC? Also, there are identifiers for digest algorithms and asymetric encryption algorithms, but not signature (combination of digest/asymetric encryption) algorithms.... 5. Section 18.104.22.168 Element <dss:Documents> It is not clear to me how the different paragraphs relate each other...below they are repeated: "If the server processed the request successful the server MUST include the J2SE JAR file on which the signature was created as an optional output using the <dss:Documents> element." My reading: a successful operation shall result in a response with a <dss:Documents> "If the <dss:Document> element is included in the response as an optional output, it MUST include the Base64 encoded J2SE JAR file within a <dss:Base64Data> element. " My reading: a successful operation shall result in a <dss:Base64Data> element including the base 64 encoded J2SE JAR file. Suggestion: one sentence specifying that a response following a successful operation MUST include the J2SE JAR file within a <dss:Document>'s <dss:Base64> child. "If the <dss:SignatureObject> is present, the included J2SE JAR file MUST be the file on which the signature included in the <dss:SignatureObject> was calculated. " Does this mean that there is the possibility that the dss:SignatureObject is not present? and if so, where is the signature? within the J2SE JAR object or the meaning is that if everything goes well the signature will be returned here and if does not go well, then there will not be obviously such an element? if so, this should be explicitly mentioned in the text. In addition, I would say that the text of the sentence should point towards the signature instead the J2SE JAR file, i.e. something like: "The <dss:SignatureObject> if present, will contain the digital signature computed on the J2SE JAR file." 6. 4 Profile of Verifying Protocol. Lines 269-271 Does this mean that a server may not verify a signature on a J2SE file? why not? one thing is not profiling the verification protocol, another one is saying that servers will not respond to any verification request....this is also present in J2ME...maybe is a matter of wording? Regards Juan Carlos.