RE: [dss] OASIS DSS "Request for Feedback" - Signing Templates

["Edward Shallow" <ed.shallow@rogers.com>]

Hi Andreas,

   Not sure I understand the nature of your discomfort. I agree that the
server must be aware of every aspect of the signature requirement. If an
implementation does not parse the input document, shame, shame. The template
approach does not advocate dropping input editing and validation. 

   The real motive is ease-of-use for the DSS interface developer. The
effort required to tee up a call, and therefore the friendliness is
enhanced. How the server reacts to the two approaches at expressing signing
requirements must be consistent. This approach to expressing requirements
detail is becoming more prevalent in many toolkits.

   Does your reluntance stand ?

Ed

-----Original Message-----
From: Andreas Kuehne [mailto:kuehne@klup.de] 
Sent: September 13, 2004 2:48 AM
To: ed.shallow@rogers.com
Cc: 'OASIS DSS TC'
Subject: Re: [dss] OASIS DSS "Request for Feedback" - Signing Templates

Hi Ed !

Let me express my discomfort with the template approach.

I guess a template is useful in he case of a signing server which is not
capable of some ( new / strange  ) aspects of a signature format. So it
would just sign but not interpret the rest of the template. That sounds to
me like putting your sign under a document you cannot read or understand !

I want a signature server to be aware of every bit of the signature output.
That's assured by building the signature document from scratch, not by
filling in some bits in a template document.

Greetings

Andreas

>Folks,
>
>   As a result of a discussion on the September 6th conference call, 
>the OASIS DSS chairs would like your feedback and opinion on the 
>potential use of "signing templates" as an option within DSS core. A 
>brief description follows.
>
>    Essentially signing templates are XML skeleton "signed documents" 
>which are passed up to the Sign protocol as input. The template 
>embodies all of the directives and format required of the resultant 
>signature expressed as an XMLSig-compliant template.
>    
>    A signing template contains not only the data to be signed, but 
>also the format and directives of the signature to be created, 
>expressed as valid [XMLSig] elements. [XMLSig] elements such as 
><SignatureValue>, <DigestValue>, and <X509Certificate> are left empty 
>on input, but are subsequently populated by the DSS service. The user 
>simply leaves these selected element tags empty, and the DSS service 
>would automatically include the generated content and return the signed 
>document in the appropriate element of the <SignResponse>.
>
>    The best way to illustrate a template is via an example. As one can 
>see, things like transforms, signature placement, key name, certificate 
>details, digest algorithms, and more can all be expressed in the 
>template. Things like digest value, signature value, certificate body, 
>etc ... Are filled in by the DSS service.
>
>    It is just a convenient way of expressing signature requirements.
>
>    The question to the team is "Should a generic non-specific notion 
>of templating be incorporated in the DSS core ?"
>
>    Feedback welcome and encouraged.
> 
>
><?xml version="1.0" encoding="UTF-8"?>
><Document>
>	<Data>
>		<SubData1 MimeType="text/plain">This is some data to be 
>signed.</SubData1>
>		<SubData2 MimeType="text/plain">This is more data to be 
>signed.</SubData2>
>	</Data>
>	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
>		<dsig:SignedInfo>
>			<dsig:CanonicalizationMethod
>Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>			<dsig:SignatureMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>				<dsig:Reference URI="">
>					<dsig:Transforms>
>						<dsig:Transform
>Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>					</dsig:Transforms>
>					<dsig:DigestMethod
>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>	
><dsig:DigestValue></dsig:DigestValue>
>				</dsig:Reference>
>		</dsig:SignedInfo>
>		<dsig:SignatureValue>
>		</dsig:SignatureValue>
>		<dsig:KeyInfo>
>			<dsig:KeyName>C=CA, O=Acme, OU=For Test Use Only,
CN=Joe Public, 
>E=JoeP@yahoo.ca</dsig:KeyName>
>			<dsig:X509Data>
>	
><dsig:X509Certificate></dsig:X509Certificate>
>	
><dsig:X509SubjectName></dsig:X509SubjectName>
>	
><dsig:X509IssuerSerial></dsig:X509IssuerSerial>
>			</dsig:X509Data>
>		</dsig:KeyInfo>
>	</dsig:Signature>
></Document>
>
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
.
>
>
>  
>