[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Compound operation Verify & Sign
Ed, Nick,
Just to check if an agreement's been reached: you don't want a
VerifyAndSign protocol; but you do want an Option on the Verify protocol to
return a "freshened" signature?
Could this be as simple as:
<Options>
......
<RequestUpdatedSignature/>
</Options>
<Outputs>
<UpdatedSignature>
......
</UpdatedSignature>
</Outputs>
?
Trevor
At 09:21 PM 11/2/2003 -0500, Edward Shallow wrote:
>Nick,
>
> What you described in the 2nd paragraph below is exactly what we had been
>discussing all along, i.e. "Options" driving ancilliary operations driving
>additional "Outputs" or "Results". I have not problem with this other than I
>doubt we can call it an alternative.
>
> Example: VerifyAndAddArchiveTimeStamp or Freshen etc... simply performs a
>conventional Verify followed by an appropriately structured TimeStamp and
>returns it as an additional base64 or XML signature which MUST be reflected
>as an optional response element in the Verify which can be re-used for any
>"Option" forcing return of a detached TimeStamp. If the TimeStamp is
>referenced in the XMLDSIG Object structure as does ETSI, then the extra
>response element may not be required. This example is academic as I suspect
>ArchiveTimeStamp in the ETSI definition is non-core anyway.
>
> Additionally, results of the ancilliary operation must be clearly
>understandable as coming from the ancilliary operation and the not the
>primary operation.
>
> As we get into this, any attempt to capture all compund operation as
>native compound operations (e.g. VerifyAndFreshenTimeStamp sic !!!) will
>quickly degrade into permutations and combinations which will prove too
>numerous .
>
>Ed
>
>-----Original Message-----
>From: Nick Pope [mailto:pope@secstan.com]
>Sent: October 31, 2003 5:49 AM
>To: Ed Shallow
>Cc: dss@lists.oasis-open.org
>Subject: RE: [dss] Compound operation Verify & Sign
>
>This brings to mind an alternative approach which might be more appropriate
>than a verify and sign:
>
>The <Signature> structure could be included as an optional element in the
>results structure of Verify. This could contain an updated copy of the
>signature which has been verified with the addition of CRL etc as identified
>below, archive time-stamps or any counter signatures. The required function
>can be controlled through the necessary <Options>.
>
>I recognise that a new VerifyAndSign operation would be misleading if the
>signature is just updated with the CRL and certificates and an additional
>signature is not necessarily applied.
>
>As before I also prefer this approach to just placing <signature> as I see
>it as being a primary part of the core protocol which may be used by several
>of the profiles.
>
>Does this suite you as a way forward Ed?
>
>Nick
>
> > -----Original Message-----
> > From: Karel Wouters [mailto:Karel.Wouters@esat.kuleuven.ac.be]
> > Sent: 30 October 2003 13:14
> > To: Nick Pope
> > Cc: dss@lists.oasis-open.org
> > Subject: RE: [dss] Compound operation Verify & Sign
> >
> >
> > a little addition to the discussion:
> >
> > I think the 'verify and sign' operation is the equivalent to the
> > 'initial verification', as discussed in CWA 14171. This operation adds
> > data to the signature that can be used in a future verification
> > (time-stamp, CRL information, etc). An example could be a basic XAdES
> > signature that is extended to a XAdES-X-L signature by the server.
> > This information is used later on in so-called 'usual verifications'.
> >
> > I won't make a judgment on whether or not this should appear on the
> > primary level. I only want to remark that the two kinds of
> > verification are very different.
> >
> > all the best,
> >
> > Karel.
> >
> >
> >
> >
> > On Thu, 30 Oct 2003, Nick Pope wrote:
> >
> > > Ed,
> > >
> > > I agree with your aim for flexibility and that this could be
> > > achieved by additions of options and outputs.
> > >
> > > However, I believe that because the basic semantics and structure of
> > > the inputs/outputs of the verify and sign is different from the
> > verify (or sign)
> > > on its own.
> > >
> > > With the verify and sign a signature exists in the inputs, and
> > an updated
> > > signature in the outputs, and because this the signature is
> > both the primary
> > > input and the primary out I believe that it should appear as part of
> > > the basic structure rather than the options. Also, I believe that
> > it would make
> > > the procedures for handling the signature clearer with a
> > signature coming in
> > > feeding into the verify and an updated signature coming out.
> > >
> > > So like Trevor I believe verify and sign (update siganture??)
> > > operation should appear at the primary level as is it effects the
> > > basic
> > operation of
> > > the server, not as part of the options. I do not think that
> > the addition of
> > > time-stamps to a signature is the same thing.
> > >
> > > Nick
> > >
> > > > -----Original Message-----
> > > > From: Edward Shallow [mailto:ed.shallow@rogers.com]
> > > > Sent: 26 October 2003 18:50
> > > > To: 'Nick Pope'; dss@lists.oasis-open.org
> > > > Subject: RE: [dss] Compound operation Verify & Sign
> > > >
> > > >
> > > > Nick and Co,
> > > >
> > > > The last suggested position I remember getting consensus on was
> > > > that the request for the secondary or ancilliary operation should
> > > > be expressed in the "Options" or "ProcessingOptions" structure as
> > > > it was then called.
> > > >
> > > > So in your example below, the principle operation is the
> > "Verify". The
> > > > client requestor must express their desire through use of
> > (for example) an
> > > > "AddContentTimeStamp" option or something similar.
> > > >
> > > > This may necessitate additonal "Outputs" but the protocol is
> > > > nicely able to handle that.
> > > >
> > > > As it pertains to the EPM, we have need for several such
> > > > compound operations, but we will use our profile extension to
> > > > express
> > them. I also
> > > > remember discussing that additional and/or optional "outputs" and
> > > > "results"
> > > > would be expressed by the requestor as "options".
> > > >
> > > > I'll dig up the references if you wish.
> > > >
> > > > Ed
> > > >
> > > > -----Original Message-----
> > > > From: Nick Pope [mailto:pope@secstan.com]
> > > > Sent: October 24, 2003 4:28 AM
> > > > To: OASIS DSS TC
> > > > Subject: [dss] Compound operation Verify & Sign
> > > >
> > > > Following the discussion on the <Status> element brings to mind
> > > > the discussion we had a few meetings ago on compound (or what Ed
> > > > called stacked) operations and particularly the ability to support
> > > > a VerifyAndSign operation where a counter signature is applied
> > > > based on whether the original signature is valid.
> > > >
> > > > I believe that such an operation is important in a number of use
> > > > cases, for example, notarisation services.
> > > >
> > > > This was brought up at the F2F meeting and was included in the
> > > > requirements document (3.9). My recollection of the discussion on
> > > > 22 Sept
> > is that the
> > > > only compound operation that was needed would be
> > VerifyAndSign, although I
> > > > see no record of it in the minutes.
> > > >
> > > > How do we envisage VerifyAndSign being supported in the DSS
> > protocol? Is
> > > > there a way of combining the two request / response
> > structures, or do we
> > > > need to define a specific structure which is this combined operation?
> > > >
> > > > Nick
> > > >
> > > >
> > > >
> > > > To unsubscribe from this mailing list (and be removed from the
> > > > roster of the OASIS TC), go to
> > > > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
> > > kgroup.php
> > > .
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > To unsubscribe from this mailing list (and be removed from the
> > roster of the OASIS TC), go to
> > http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
>kgroup.php.
> >
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of
>the OASIS TC), go to
>http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]