Re: [dss] Groups - Signature Gateway Profile wd03 (oasis-dss-1[1].0-profiles-siggty-spec-wd-03.doc) uploaded

[Trevor Perrin <trevp@trevp.net>]

Hi Glenn,

a few comments:

1: "transforms both credential logistics, and the cryptographic technology" 
- remove the comma, maybe define "credential logistics".

2.3: we've been leaning toward saying the document *is* a profile, instead 
of that it contains profiles.

2.4: this should name the type of signature object(s) supported (i.e. 
XML-DSIG).

2.5 / 2.6: "permits all transport/security bindings": permits isn't 
clear.  Is this the equivalent of a normative MUST, SHOULD, or MAY?  If you 
want this to be a concrete profile, you should assign MUSTs to some set of 
bindings, to ensure interop.  If you don't want to constrain bindings, then 
you should call this an abstract profile.

4.1.1: "The Signature Gateway Profile MAY support any optional input 
defined in [DSSCore]".  Does this requirement apply to clients or servers?

4.1.1.1 and 4.1.1.2: The <SignatureType> and <KeySelector> options normally 
only appear in Sign requests, not Verify requests.  If it turns out all the 
optional inputs you want pertain to the Signing and not Verifying, you 
should consider basing your profile on the SignRequest protocol instead.

Do you want to specify a MUST signature type for servers to support?  If 
not, this is definitely an abstract profile.

4.1.1.3: SignatureObject is not an optional input; it's an essential part 
of a VerifyRequest.

4.1.1.4: agreed we need something better here, though changing the core 
isn't my 1st choice.  First, <VerifyManifests> already exists, so do you 
need to define your own version?  As far as what the signature covers, why 
not just have it cover the entire input signature and be done with it?  The 
only remaining choices are to insert timestamps or CRL, but that's not too 
many options to enumerate.

5: typo?


Trevor