[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss] OASIS DSS "Request for Feedback" - Signing Templates
Hi Ed ! Let me express my discomfort with the template approach. I guess a template is useful in he case of a signing server which is not capable of some ( new / strange ) aspects of a signature format. So it would just sign but not interpret the rest of the template. That sounds to me like putting your sign under a document you cannot read or understand ! I want a signature server to be aware of every bit of the signature output. That's assured by building the signature document from scratch, not by filling in some bits in a template document. Greetings Andreas >Folks, > > As a result of a discussion on the September 6th conference call, the >OASIS DSS chairs would like your feedback and opinion on the potential use >of "signing templates" as an option within DSS core. A brief description >follows. > > Essentially signing templates are XML skeleton "signed documents" which >are passed up to the Sign protocol as input. The template embodies all of >the directives and format required of the resultant signature expressed as >an XMLSig-compliant template. > > A signing template contains not only the data to be signed, but also the >format and directives of the signature to be created, expressed as valid >[XMLSig] elements. [XMLSig] elements such as <SignatureValue>, ><DigestValue>, and <X509Certificate> are left empty on input, but are >subsequently populated by the DSS service. The user simply leaves these >selected element tags empty, and the DSS service would automatically include >the generated content and return the signed document in the appropriate >element of the <SignResponse>. > > The best way to illustrate a template is via an example. As one can see, >things like transforms, signature placement, key name, certificate details, >digest algorithms, and more can all be expressed in the template. Things >like digest value, signature value, certificate body, etc ... Are filled in >by the DSS service. > > It is just a convenient way of expressing signature requirements. > > The question to the team is "Should a generic non-specific notion of >templating be incorporated in the DSS core ?" > > Feedback welcome and encouraged. > > ><?xml version="1.0" encoding="UTF-8"?> ><Document> > <Data> > <SubData1 MimeType="text/plain">This is some data to be >signed.</SubData1> > <SubData2 MimeType="text/plain">This is more data to be >signed.</SubData2> > </Data> > <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > <dsig:SignedInfo> > <dsig:CanonicalizationMethod >Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> > <dsig:SignatureMethod >Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <dsig:Reference URI=""> > <dsig:Transforms> > <dsig:Transform >Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </dsig:Transforms> > <dsig:DigestMethod >Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > ><dsig:DigestValue></dsig:DigestValue> > </dsig:Reference> > </dsig:SignedInfo> > <dsig:SignatureValue> > </dsig:SignatureValue> > <dsig:KeyInfo> > <dsig:KeyName>C=CA, O=Acme, OU=For Test Use Only, >CN=Joe Public, E=JoeP@yahoo.ca</dsig:KeyName> > <dsig:X509Data> > ><dsig:X509Certificate></dsig:X509Certificate> > ><dsig:X509SubjectName></dsig:X509SubjectName> > ><dsig:X509IssuerSerial></dsig:X509IssuerSerial> > </dsig:X509Data> > </dsig:KeyInfo> > </dsig:Signature> ></Document> > > > > > > >To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php. > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]