OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comment on individual report profile

Dear Detlef,

Looking at the document, I see the following structure:

    +-- SignedObjectIdentifier
    +-- Result
    +-- Details

Then the text says that <DetailedSignatureReport> may appear within the 
Details for providing details of the signature. So far so good....

But I have some problems with the SignedObjectIdentifier.

Section 3.3, for its <DigestAlgAndValue> child element, says:
"This element contains, if present, the hash value of the signature or 
validation data under consideration, where the signed object itself 
(e.g. the <ds:Signature>-element in case of an XML-signature according 
to [RFC3275], the SignedData-structure in case of a CMS-signature 
according to [RFC3852] or a time stamp according to [RFC3161], the 
Certificate- or CertificateList-structure in case of an 
X.509-certificate or CRL according to [RFC5280] or the 
OCSPResponse-structure in case of an OCSP-response according to 
[RFC2560] for example) serves as input for the hash-calculation. The 
structure of the DigestAlgAndValueType is defined in [XAdES]. This 
element SHOULD NOT be used if the unique identification can be 
guaranteed by other elements"

This text seems to me that is indicating that the current specification 
foresees that this type may identify not only signatures (XML Sig or 
CMS) but also time-stamps, X.509 certs and CRLs, or even OCSP responses...

Now the document immediately starts making it clear that this element 
will serve to identify a signature , it goes through all the information 
that may be returned in a detailed report, and finally it is not until 
we reach 3.5.5 to 3.5.10  that we find a list of reports that may appear 
also qualified by an instance of this type.....and in the mean time the 
reader has found things like  section that uses 
ds:X509IssuerSerialType as identifier of the certificate, and section uses XAdES:CRLIdentifierType for identifying CRLs, 
XAdES:OCSPIdentifierType for OCSP responses identifier....

I have one question and some comments:

1. Question: in which context would you say that an 
IndividualCertificateReport (the same applies to AttributeCertificate, 
CRL or OCSPResponse, not for IndividualTimeStamp as this protocol could 
also serve for getting detailed reports on a time-stamp, not on a 
signature) would appear? Section 3.5.5 defines this element, but I do 
not see anywhere any indication that it should appear in some Signature 

2. Depending on the answer to this question, then we could think in 
moving sections 3.5.5 to 3.5.10 to another place ahead in the document?


Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]