[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] CMS
Trevor, Here is a succinct summary of my suggestion: Background ********** - SignaturePtr (WhichDocument, Xpath) does not handle CMS Verify - single signature, single document Verify scenario makes SignaturePtr superfluous - freedom to support Verify of more than one signature in document should not be constricted by core - delineation of CMS support, in core versus in profile needs better treatment and explanation - SignatureType refinement required to support the 2 basic CMS signature types, detached and enveloping Recommendations *************** - support only basic CMS signature handling in the core (consistent with Requirements) - Sign - create enveloping CMS/PKCS7 signature - create detached CMS/PKCS7 signature - Verify - verify single enveloping signature in incoming SignedData CMS/PKCS7 - verify single detached signature in incoming SignedData CMS/PKCS7 and InputDocument - ReturnUpdatedSignature (e.g. add timestamp as unauthenticated attribute to exisiting CMS/PKCS7, already supported in spec) - leave extended CMS signature handling to the profiles - counter-signature creation and verification - multi-signed (co-signed) signature creation and verification - verification of both CMS/PKCS7 and any embedded timestamp - creation of CMS signatures using client-side hashing - verification of specific signatures within a multi-signed CMS/PKCS7 (perhaps using Trevor's SignedInfo suggestion) - explain degree of CMS support clearly in spec - mark InputDocuments as optional to support single signature verify scenario (CMS) - mark SignatureObject as optional to support single signature verify scenario (XMLDSIG) - allow WhichDocument to be used without an XPath element (i.e. make XPath optional within SignaturePtr) - allow requests to specify the presence of multiple signatures through new SignatureType URNs (e.g. multi) or a new OptionalInput element - specify that implementations must return the NotSupported URN should they be unable to honor an OptionalInput when multiple signatures present - write up semantics associated with the above and include in spec Outstanding *********** - should ProcessingDetails be enhanced to support results scope (as opposed to restricting profiles from reporting on multiple signature statuses) Tweaking welcome !!! Ed -----Original Message----- From: Trevor Perrin [mailto:trevp@trevp.net] Sent: April 21, 2004 6:36 AM To: Ed Shallow Subject: RE: [dss] CMS >[Trevor] >In your proposal, the client sends a SignedData. When a SignedData >contains multiple SignerInfos (co-signatures or counter-signatures), >what does the server do? Hi Ed - actually, if you could answer the above question (to me or on list, whichever), I'll send out a summary of both CMS approaches and request other opinions (or send out the summary yourself). I think we've reduced this issue to 2 clear, reasonable proposals (and good for us for doing that!), so we might as well put it to a vote. Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]