[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: AW: [dss-x] Verification Reports
Dear Frank I take the oportunity for asking you about one of the questions you addressed to the TC, that is the: "eID DSS Browser POST Protocol" issue. The TC would like to ask your views on how this proposal would relate to the transport binding 6.1 HTTP POST Transport Binding of DSS Core? Best regards Juan Carlos El 30/11/2010 14:15, Frank Cornelis escribió: > Hi Detlef, > > > Many thanks for your feedback. > > I already changed the way the signing certificate is communicated back > as part of the DetailedSignatureReport. Now I'm using > DetailedSignatureReport/CertificatePathValidity/PathValidityDetail/CertificateValue > as you mention. In attachment you'll find an example of a real-world > verification request and verification report using an XML document > signed with my Belgian eID card. Feedback is always welcome. Indeed, the > spec is not always that clear as to what fields to use exactly. > > FYI... a presentation about the eID DSS is available at: > http://eid-dss.googlecode.com/files/fedict-eid-dss.pdf > > > Kind Regards, > Frank. > > On 11/22/2010 04:30 PM, Huehnlein, Detlef wrote: >> Hallo Frank, >> >> thank you very much for mail. Sorry, that my answer took >> that much time. >> >>> As part of an eID DSS implementation targeting the Belgian >>> eID card, available at: >>> http://code.google.com/p/eid-dss/ >>> I've implemented OASIS DSS core and the VR profile. I'm >>> looking for feedback on this to be sure that I've interpreted >>> the VR profile correctly. A protocol run by example is >>> available as part of the eID DSS developer's guide at: >>> >>> http://eid-dss.googlecode.com/files/eid-dss-dev-guide-15-09-2010.pdf >>> under section "3. OASIS DSS Web Service". So here are my questions: >>> Is it OK to use >>> vr:VerificationReport/vr:IndividualReport/vr:SignedObjectIdent >>> ifier/vr:SignedProperties/vr:SignedSignatureProperties/xades:S >>> igningTime to uniquely identify the signature? >> Yes. Using the xades:SigningTime-property to identify the signature is >> usually a good idea, as using this element as identifier is very >> natural for human consumers of a verification report. However if it >> can not be guaranteed that the signing time alone is sufficient to >> provide uniqueness, it is advisable to also use additional identifiers >> (e.g. DigestAlgAndValue, SignatureValue) to ensure the unique >> identification >> of signatures. >> >>> Is it OK to use >>> vr:VerificationReport/vr:IndividualReport/vr:Details/vr:Indivi >>> dualCertificateReport/vr:CertificateValue to get the signing >>> certificate? >> Concerning this question it is not entirely clear to me what >> you exactly mean by "to get the signing certificate". >> >> If you ask whether >> vr:VerificationReport/vr:IndividualReport/vr:Details/vr:IndividualCertificateReport >> >> is the "right place" to include the verification result for the >> "signing certificate" >> (in the sense of the SigningCertificate-property of a XAdES-signature >> according to Section 7.2.2 of >> http://uri.etsi.org/01903/v1.4.1/ts_101903v010401p.pdf), >> which may contain the certificate itself in the >> CertificateValue-element, then >> the answer is "no", because the verification result for a certificate >> on which an >> advanced electronic signature is based SHOULD be reported in the >> first vr:CertificateValidity-element within >> vr:DetailedSignatureReport/vr:CertificatePathValidity/vr:PathValidityDetail. >> >> >> The vr:IndividualCertificateReport-element is only meant to be used if >> a certificate is to >> be verified WITHOUT a specific signature-related context. >> >> As this point is not yet clearly specified in the current version of >> the profile, >> we will include a clarifying note as soon as possible. >> >> It would be great, if you could provide some more details about the >> second question. >> >> Best regards, >> Detlef >> >>> Besides the VR profile implementation, section 2 of the same >>> developer's guide also highlights the implementation of an >>> "eID DSS Browser POST Protocol" for the creation of eID based >>> signatures that require interaction with the web browser of >>> the end-user. What I would like to do is to define a similar >>> Browser POST profile on top of the OASIS DSS core. So where >>> to get started? I just do some implementation, document it >>> and send it over for review? >>> >>> >>> Thanks in advance, >>> Frank. >>> --------------------------------------------------------------------- >>> To unsubscribe from this mail list, you must leave the OASIS TC that >>> generates this mail. Follow this link to all your TCs in OASIS at: >>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr >> oups.php >>> > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]