OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: DSSX: comments to J2SE code signing wd profile


Below follow some initial comments on the profile for J2SE code signing 

1. Section 1.4 Overview, Line 178:
Jar Fie Specification: should it be "Jar File Specification"?

2. Section 3.1.1 Element <dss:OptionalInputs>

"The following optional inputs defined in the [DSS Core] will not be 
by a server implementing this profile:"

the term "will not be understood" seems somehow ambiguous. Is it the 
purpose to say that
"servers implementing this profile will not process any of the following 
inputs if present"?.

3.Section Lines 217 - 220. Should not the server return

(The server was not able to parse a Document.)

if the document is of a different type than <dss:Base64>?

4. Section  3.1.3 Element <OptionalInputs> Lines 232 - 242
Algorithm identifiers: Should it not be enough to make use of URI 
identifiers for algorithms already defined
by W3C and even in some RFC?

Also, there are identifiers for digest algorithms and asymetric 
encryption algorithms, but not
signature (combination of digest/asymetric encryption) algorithms....

5. Section Element <dss:Documents>

It is not clear to me how the different paragraphs relate each 
other...below they are repeated:

"If the server processed the request successful the server MUST include 
the J2SE JAR file
on which the signature was created as an optional output using the 
<dss:Documents> element."

My reading: a successful operation shall result in a response with a 
"If the <dss:Document> element is included in the response as an 
optional output, it MUST
include the Base64 encoded J2SE JAR file within a <dss:Base64Data> 
element. "

My reading: a successful operation shall result in a <dss:Base64Data> 
element including the base 64 encoded
J2SE JAR file.

Suggestion: one sentence specifying that a response following a 
successful operation MUST include
the J2SE JAR file within a <dss:Document>'s <dss:Base64> child.

"If the <dss:SignatureObject> is present, the included J2SE JAR file 
MUST be the file
on which the signature included in the <dss:SignatureObject> was 
calculated. "

Does this mean that there is the possibility that the 
dss:SignatureObject is not present? and if so,
where is the signature? within the J2SE JAR object or the meaning is 
that if everything goes well
the signature will be returned here and if does not go well, then there 
will not be
obviously such an element? if so, this should be explicitly mentioned in 
the text.

In addition, I would say that the text of the sentence should point 
towards the signature instead
the J2SE JAR file, i.e. something  like: "The <dss:SignatureObject> if 
present, will contain
the digital signature computed on the J2SE JAR file."

6. 4 Profile of Verifying Protocol. Lines 269-271

Does this mean that a server may not verify a signature on a J2SE file? 
why not? one thing is not
profiling the verification protocol, another one is saying that servers 
will not respond to any
verification request....this is also present in J2ME...maybe is  a 
matter of wording?


Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]