OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [dss-x] Verification Reports

Hallo Frank,

thank you very much for mail. Sorry, that my answer took 
that much time. 

> As part of an eID DSS implementation targeting the Belgian 
> eID card, available at:
>     http://code.google.com/p/eid-dss/
> I've implemented OASIS DSS core and the VR profile. I'm 
> looking for feedback on this to be sure that I've interpreted 
> the VR profile correctly. A protocol run by example is 
> available as part of the eID DSS developer's guide at:
> http://eid-dss.googlecode.com/files/eid-dss-dev-guide-15-09-2010.pdf
> under section "3. OASIS DSS Web Service". So here are my questions:
> Is it OK to use 
> vr:VerificationReport/vr:IndividualReport/vr:SignedObjectIdent
> ifier/vr:SignedProperties/vr:SignedSignatureProperties/xades:S
> igningTime to uniquely identify the signature? 

Yes. Using the xades:SigningTime-property to identify the signature is 
usually a good idea, as using this element as identifier is very 
natural for human consumers of a verification report. However if it 
can not be guaranteed that the signing time alone is sufficient to 
provide uniqueness, it is advisable to also use additional identifiers 
(e.g. DigestAlgAndValue, SignatureValue) to ensure the unique identification 
of signatures.

> Is it OK to use 
> vr:VerificationReport/vr:IndividualReport/vr:Details/vr:Indivi
> dualCertificateReport/vr:CertificateValue to get the signing 
> certificate?

Concerning this question it is not entirely clear to me what
you exactly mean by "to get the signing certificate". 

If you ask whether vr:VerificationReport/vr:IndividualReport/vr:Details/vr:IndividualCertificateReport
is the "right place" to include the verification result for the "signing certificate"
(in the sense of the SigningCertificate-property of a XAdES-signature
 according to Section 7.2.2 of http://uri.etsi.org/01903/v1.4.1/ts_101903v010401p.pdf), 
which may contain the certificate itself in the CertificateValue-element, then 
the answer is "no", because the verification result for a certificate on which an
advanced electronic signature is based SHOULD be reported in the 
first vr:CertificateValidity-element within vr:DetailedSignatureReport/vr:CertificatePathValidity/vr:PathValidityDetail.

The vr:IndividualCertificateReport-element is only meant to be used if a certificate is to 
be verified WITHOUT a specific signature-related context. 

As this point is not yet clearly specified in the current version of the profile, 
we will include a clarifying note as soon as possible. 

It would be great, if you could provide some more details about the second question. 

Best regards,

> Besides the VR profile implementation, section 2 of the same 
> developer's guide also highlights the implementation of an 
> "eID DSS Browser POST Protocol" for the creation of eID based 
> signatures that require interaction with the web browser of 
> the end-user. What I would like to do is to define a similar 
> Browser POST profile on top of the OASIS DSS core. So where 
> to get started? I just do some implementation, document it 
> and send it over for review?
> Thanks in advance,
> Frank.
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]