Re: [dss] OASIS DSS "Request for Feedback" - Signing Templates

[Andreas Kuehne <kuehne@klup.de>]

Hi Ed !

Let me express my discomfort with the template approach.

I guess a template is useful in he case of a signing server which is not 
capable of some ( new / strange  ) aspects of a signature format. So it 
would just sign but not interpret the rest of the template. That sounds 
to me like putting your sign under a document you cannot read or 
understand !

I want a signature server to be aware of every bit of the signature 
output. That's assured by building the signature document from scratch, 
not by filling in some bits in a template document.

Greetings

Andreas

>Folks,
>
>   As a result of a discussion on the September 6th conference call, the
>OASIS DSS chairs would like your feedback and opinion on the potential use
>of "signing templates" as an option within DSS core. A brief description
>follows.
>
>    Essentially signing templates are XML skeleton "signed documents" which
>are passed up to the Sign protocol as input. The template embodies all of
>the directives and format required of the resultant signature expressed as
>an XMLSig-compliant template. 
>    
>    A signing template contains not only the data to be signed, but also the
>format and directives of the signature to be created, expressed as valid
>[XMLSig] elements. [XMLSig] elements such as <SignatureValue>,
><DigestValue>, and <X509Certificate> are left empty on input, but are
>subsequently populated by the DSS service. The user simply leaves these
>selected element tags empty, and the DSS service would automatically include
>the generated content and return the signed document in the appropriate
>element of the <SignResponse>.
>
>    The best way to illustrate a template is via an example. As one can see,
>things like transforms, signature placement, key name, certificate details,
>digest algorithms, and more can all be expressed in the template. Things
>like digest value, signature value, certificate body, etc ... Are filled in
>by the DSS service.
>
>    It is just a convenient way of expressing signature requirements.
>
>    The question to the team is "Should a generic non-specific notion of
>templating be incorporated in the DSS core ?"
>
>    Feedback welcome and encouraged.
> 
>
><?xml version="1.0" encoding="UTF-8"?>
><Document>
>	<Data>
>		<SubData1 MimeType="text/plain">This is some data to be
>signed.</SubData1>
>		<SubData2 MimeType="text/plain">This is more data to be
>signed.</SubData2>
>	</Data>
>	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
>		<dsig:SignedInfo>
>			<dsig:CanonicalizationMethod
>Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>			<dsig:SignatureMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>				<dsig:Reference URI="">
>					<dsig:Transforms>
>						<dsig:Transform
>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>					</dsig:Transforms>
>					<dsig:DigestMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>	
><dsig:DigestValue></dsig:DigestValue>
>				</dsig:Reference>
>		</dsig:SignedInfo>
>		<dsig:SignatureValue>
>		</dsig:SignatureValue>
>		<dsig:KeyInfo>
>			<dsig:KeyName>C=CA, O=Acme, OU=For Test Use Only,
>CN=Joe Public, E=JoeP@yahoo.ca</dsig:KeyName>
>			<dsig:X509Data>
>	
><dsig:X509Certificate></dsig:X509Certificate>
>	
><dsig:X509SubjectName></dsig:X509SubjectName>
>	
><dsig:X509IssuerSerial></dsig:X509IssuerSerial>
>			</dsig:X509Data>
>		</dsig:KeyInfo>
>	</dsig:Signature>
></Document>
>
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
>
>
>  
>