Re: comments on XAdES profile wd-02

[Juan Carlos Cruellas Ibarz <cruellas@ac.upc.es>]

Trevor, 
Thank you for your comments. As I have been on holidays, I have
not managed to read them before...
Below my answers.
>
>
>The title should probably include "Abstract", like: "XAdES Abstract Profile 
>of the..."
>
Agreed.

>The abstract could be updated to match the current template, which no 
>longer refers to protocol profiles: "This draft profiles the OASIS DSS core 
>protocols for the purpose of creating and verifying XAdES signatures".
>
The document does not have an abstract section, so I guess that I have
used an old template... I will do that. Agreed.

>The Introduction could be updated too.
Agreed.
>
>The schema namespace URL could be made consistent with the core, by 
>changing the filename to "oasis-dss-1.0-profiles-XAdES-wd-02".
>
Agreed.

>Line 100 can be deleted.
>
Agreed.


>Section 2.1 could be changed to say: "This profile does not specify a URI 
>Identifier".
What is exactly the purpose of this identifier? If it is for identifyihng
the profile,
then I guess that the namespace's URI would serve... should I then give the
same value of the namespace or just say  what you suggest?

>
>Line 122: remove both occurences of "to" from this sentence.

Agreed
>
>Section 2.2: I would move all of the text here except the first sentence to 
>a new section "1.3 Overview (Non-normative)".
>
Is it because it woudl be not normative? My idea of the scope was to
indeed give details on the scope of the profile (ie, what is covered...)

>Issue 1.1: it seems like this draft does have the ability to add arbitrary 
>signed properties?

Well, in fact it is not completely prepared for doing that: only a few
properties
are individually managed; the rest are incorporated by means of identifying
a specific "form" (a form is a signature containing a specific combination of 
properties).

>
>Sections 2.5 and 2.6: Since this is an abstract profile, you can just say: 
>"This profile does not specify or constrain the XXXX binding."
>

It is true.... agreed.

>Line 200: <SignatureType> has no type attribute.
>
Oooops... yes: you are right... I missread(?) the spec.
I will change the text.

>Issue #3: I'm not sure what this version applies to.  But you could always 
>introduce new URIs to do versioning, so I'd say you could leave it out.
>
Versions of the standards... standards are updated from time to time and
between versions may appear differences...
You point another way of doing versioning: uris.

>Section 3.1.1.3: It's not necessary to use <ClaimedIdentity> for the server 
>to know which certificate to use.  For example, maybe you authenticate with 
>a username/password, and the server automatically knows which certificates 
>goes with your account.  I think you should reword this and omit 
><ClaimedIdentity>.

But we have this element in the protocol just for the cases where the clien
wants to pass this information to the server... I do not see the point of not
using this element precisely in a situation where one needs to inform
of the identity to the server...


>
>Line 320: "DocsToB[e]TimeS[t]amped" misspelled.
>

True.. I will fix it.

>Issue #4: The <dss:SignedReferences> optional input has a RefId attribute, 
>that can be used to set ds:Reference/@Id.  However, I think it would be 
>better to refer to the input document with WhichDocument, like you're 
>doing, and let the server set ds:Reference/@Id automatically.
>

My point was that in the core document, the DocumentBaseType allows you to 
instruct the server to assign URI and Type to the ds:Reference, but not the
Id attribute.
What is the reason why dss:SignedReference has  the RefID and DocumentBaseType
does not have it?


>Lines 404 and 407: Maybe rephrase using "SHALL" instead of "MUST".
>
In fact, RFC 2119 say that both are equivalent: both imply an absolute
requirement.. another issue is whether one is better from the english language
point of view...

>Section 4.1.2.2: Is this a mistake?
>

Yes...it should say that this flag will be provided when an operation of
updatign is requested.
I will rephrase the sentence..
>

Again, thank you very much for your comments Trevor

Juan Carlos.
>Trevor
>
>
>
>
>
>
>
>