OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [dss] Public comment: OASIS-DSS Exclusive Canonicalization and ValidationErrors(Unique Particle Attribution)

Dear all,

First I have to apologize to follow up on myself, but I'd like to add a few points to my last
public comment (21.03.2005) after I had a short email exchange with Martin Centner.

FYI

Martin Centner wrote:
Konrad Lanz wrote:
Dear all,

I'd like to refer to my last public comment (21.03.2005) and I'd like to add a few points.

To the first point (Exclusive Canonicalization) I'd like to add that ambiguities concerning the scope of namespaces appear in <dss:VerifyRequests> as well. A <ds:Signature> having namespace declarations in scope that were not in scope during signature creation will influence the input of the digest computation.

This happens because standard xml binding frameworks like JAXB with dom binding support will put all namespace declarations in scope into the top most element.

It's not a problem caused by some xml binding framework. This is specified XML (with namespaces) behaviour. If you put some nodes as child elements of another node, these nodes will inherit all namespace context from the parent node. This can't be avoided in XML 1.0.

Namespaces in XML 1.1 tries to solve this problem by specifying a mechanism to undeclare namespace prefixes. Unfortuenately this is only possible for XML 1.1. A restriction to XML 1.1 wouldn't be acceptable for OASIS-DSS.

Therefore, the specification must _at_least_ clearly define that the implementation has to apply appropriate messures to get rid of the namespace context for <XMLData> and <Signature> objects.
As indicated by Martin a solution to this problem exist it can be found in namespaces for xml 1.1 in
section namespace scoping:
> [...] The attribute value in a namespace declaration for a prefix MAY be empty.
> This has the effect, within the scope of the declaration, of removing any association
> of the prefix with a namespace name.[...]
Thus enabling to remove namespaces from the scope for particular elements and their children
hence avoiding their declaration through canonical xml.

If xml 1.0 should be supported by dss this mechanism is only available for the default namespace
xmlns as indicated in namespaces in xml.

However there exists a workaround to free a node from its namespace context for xml 1.0 as well.
If DOM is used to process the xml the importNode method can be used to free a node from it's
namespace context. This however requires the relevant xml data (element Node) to have a parent
node from whose parent node's context it can be separated by importing into a new document.

This for example works already well for <dss:InputDocuments> as they are enclosed by
<dss:XMLData> tags but not for <ds:Signature> as it is a direct child of <dss:SignatureObject>.

Hence I'd suggest something similar to what <dss:XMLData> is for xml content for
<ds:Signature>. See the suggested <dss:XMLSignature> in SchemaSnippet1 at the end of
this email.

Analogous modifications could also be made for <ds:Transforms> and <ds:KeyInfo>.

This would also enable a solution to the problem with the "Unique Particle Attribution" constraint
mentioned in my last posting.
Then <xs:any namespace="##other" processContents="lax"/> could be used instead of
<xs:any processContents="lax"/> and all newly defined <xs:elements> in profiles that will be
matched by the <xs:any> wild cards would then either lie outside the dss namespace or could be
defined like in the attached schema file. There I defined <xs:complexType>s for
SignRequestOptionalInputs, SignResponseOptionalOutputs, VerifyRequestOptionalInputs
and SignResponseOptionalOutputs.

Best regards
Konrad Lanz

P.S.:   I also added <xs:attribute name="ObjId" type="xs:string" use="optional"/>
in <dss:EnvelopingSignature> which seems to have gone missing as Antonio has mentioned.

See Examle1 at the end of this email:

Please imagine an enveloping signature created in a non DSS application using canonical xml (but not exclusive canonical xml) which is to be verified by using a <dss:VerifyRequests>.

This signature element will as soon as it is imported into <dss:VerifyRequests> and as child appended to the <dss:SignatureObject> implicitly enter the scope of the enclosing namespaces. Which is not a problem per se, but can cause troubles in combination with empty default namespace elements.

It's simply a problem if Canonical XML is used. Any namespace declaration in scope will find it's way into the Canonical XML.

This means that, if a document is signed not having a xmlns declaration and also not the empty default namespace declaration xmlns="" was not embedded into the first prefix free element -- which is in compliance with canonical xml sections processing model (point: element node, namespace axis) and superfluous namespace declarations -- then this document cannot be transported or verified in a
<dss:VerifyRequests> in an unambiguous way. This is because the elements without prefix would be believed to lie in the outer default namespace, which is potentially the dss namespace.

The same problem also appears in an analougous way with enveloping signatures (see the comment at the end of Example1).


Best regards
Konrad Lanz


########################### Example 1 Begin ###########################
The following <dss:VerifyRequest> causes the namespaces xmlns:dss xmlns:ds to be imported into
the enveloping <ds:Signature>.

### Request Begin###
<?xml version="1.0" encoding="UTF-8"?>
<VerifyRequest xmlns="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd"
        xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        RequestID="S1234567"
        Profile="SomeProfile">
    <dss:SignatureObject><XMLSignature><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><Reference URI="#object"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Wa+y+fiVyspgDbr5JFCNgcpbz9c=</DigestValue></Reference></SignedInfo><SignatureValue>rURddxuMyfahNuiROvpGsSYEvtlsVOodWWZ4zp0hve8YujJ51zz7hg==</SignatureValue><Object Id="object"><XMLExampleDocument xmlns=""><FirstElement firstAttr="Text in first Attribute">Text in first Element</FirstElement><SecondElement>Text in second Element !!! has changed !!!</SecondElement><ThirdElement>
Third Text.
          </ThirdElement><FourthElement/>
                   a lot of space
                   <FifthElement/>
                 </XMLExampleDocument></Object></Signature></XMLSignature></dss:SignatureObject>
</VerifyRequest>
### Request End ###

### Signature Begin ###
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><Reference URI="#object"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>Wa+y+fiVyspgDbr5JFCNgcpbz9c=</DigestValue></Reference></SignedInfo><SignatureValue>rURddxuMyfahNuiROvpGsSYEvtlsVOodWWZ4zp0hve8YujJ51zz7hg==</SignatureValue><Object Id="object"><XMLExampleDocument xmlns=""><FirstElement firstAttr="Text in first Attribute">Text in first Element</FirstElement><SecondElement>Text in second Element !!! has changed !!!</SecondElement><ThirdElement>
Third Text.
          </ThirdElement><FourthElement/>
                   a lot of space
                   <FifthElement/>
                 </XMLExampleDocument></Object></Signature>
### Signature End ###

N.B.: Here one can see another unclarity as well, which is caused by a lack of specification in canonical xml sections processing model (point: element node, namespace axis) and superfluous namespace declarations in combination with enveloping signature creation.
In fact xml content having xml tags in the empty default namespace without an xmlns="" declaration in the first prefix free xml tag
cannot be transported in another protocol without beeing influenced. This means they can neither be embedded in an enveloping signature without implying the wrong interpretation of prefix free xml tags as beeing in the xmldsig namespace nor in a dss request without implying that those elements lie in the dss namespace.
########################### Example 1 End ###########################



########################### SchemaSnippet1 Begin ###########################
    <xs:element name="SignatureObject">
        <xs:complexType>
            <xs:sequence>
                <xs:choice>
<!--                    <xs:element ref="ds:Signature"/>                -->
                    <xs:element ref="dss:XMLSignature"/>
                    <xs:element ref="dss:Timestamp"/>               
                    <xs:element ref="dss:Base64Signature"/>
                    <xs:element ref="dss:SignaturePtr"/>
                    <xs:any namespace="##other" processContents="lax"/>
                </xs:choice>
                <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>

    <xs:element name="XMLSignature">
        <xs:complexType>
            <xs:sequence>
                  <xs:element ref="ds:Signature"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>
########################### SchemaSnippet1 End ########################### 

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd"; 
			xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30.xsd"; 
			xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
			xmlns:xs="http://www.w3.org/2001/XMLSchema";
			xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
			elementFormDefault="qualified" 
			attributeFormDefault="unqualified">			

	<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
	<xs:import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-protocol-1.1.xsd"/>
	<xs:import namespace="http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/>			


	<!-- COMMON PROTOCOL STRUCTURES -->

	<xs:complexType name="DSSAnyType">
		<xs:sequence>
			<xs:any processContents="lax" maxOccurs ="unbounded"/>
		</xs:sequence>
	</xs:complexType>
	
	<xs:complexType name="InternationalStringType">
		<xs:simpleContent>
			<xs:extension base="xs:string">
				<xs:attribute ref="xml:lang"/>
			</xs:extension>
		</xs:simpleContent>
	</xs:complexType>
		
	<xs:element name="InputDocuments">
		<xs:complexType>
			<xs:sequence>
				<xs:choice minOccurs="1" maxOccurs="unbounded">		
					<xs:element ref="dss:Document"/>
					<xs:element ref="dss:DocumentHash"/>
					<xs:any namespace="##other" processContents="lax"/>					
				</xs:choice>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	
	<xs:complexType name="DocumentBaseType" abstract="true">
		<xs:sequence>
			<xs:element ref="ds:Transforms" minOccurs="0"/> 
			<xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/>
		</xs:sequence>
		<xs:attribute name="ID" type="xs:ID" use="optional"/>
		<xs:attribute name="RefURI" type="xs:anyURI" use="optional"/>
		<xs:attribute name="RefType" type="xs:anyURI" use="optional"/>
	</xs:complexType>	


	<xs:element name="Document">
		<xs:complexType>
			<xs:complexContent>
				<xs:extension base="dss:DocumentBaseType">
					<xs:choice>
						<xs:element ref="dss:XMLData"/>
						<xs:element ref="dss:Base64Data"/>
					</xs:choice>
				</xs:extension>
			</xs:complexContent>
		</xs:complexType>
	</xs:element>

	<xs:element name="XMLData" type="dss:DSSAnyType"/>

	<xs:element name="Base64Data">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:base64Binary">
					<xs:attribute name="MimeType" type="xs:string" use="optional"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>			
	</xs:element>
	
	<xs:element name="DocumentHash">
		<xs:complexType>
			<xs:complexContent>
				<xs:extension base="dss:DocumentBaseType">
					<xs:sequence>
						<xs:element ref="ds:DigestMethod"/>
						<xs:element ref="ds:DigestValue"/>
					</xs:sequence>
				</xs:extension>
			</xs:complexContent>
		</xs:complexType>
	</xs:element>
	
	<xs:element name="SignatureObject">
		<xs:complexType>
			<xs:sequence>
				<xs:choice>
<!--					<xs:element ref="ds:Signature"/>				-->
					<xs:element ref="dss:XMLSignature"/>
					<xs:element ref="dss:Timestamp"/>				
					<xs:element ref="dss:Base64Signature"/>
					<xs:element ref="dss:SignaturePtr"/>
					<xs:any namespace="##other" processContents="lax"/>
				</xs:choice>
				<xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>

	<xs:element name="XMLSignature">
		<xs:complexType>
			<xs:sequence>
  				<xs:element ref="ds:Signature"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
	
	<xs:element name="Base64Signature">
		<xs:complexType>
			<xs:simpleContent>
				<xs:extension base="xs:base64Binary">
					<xs:attribute name="Type" type="xs:anyURI"/>
				</xs:extension>
			</xs:simpleContent>
		</xs:complexType>
	</xs:element>

	<xs:element name="SignaturePtr">
		<xs:complexType>
			<xs:attribute name="WhichDocument" type="xs:IDREF"/>             
			<xs:attribute name="XPath" type="xs:string" use="optional"/>             
		 </xs:complexType>
	</xs:element>

	<xs:element name="Result">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="ResultMajor" type="xs:anyURI"/>
				<xs:element name="ResultMinor" type="xs:anyURI" minOccurs="0"/>
				<xs:element name="ResultMessage" type="dss:InternationalStringType" minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>	
	
	<!-- TODO get rid of this -->
	<xs:element name="OptionalInputs" type="dss:DSSAnyType"/>
	<!-- TODO get rid of this -->
    <xs:element name="OptionalOutputs" type="dss:DSSAnyType"/>
	
	<xs:element name="ServicePolicy" type="xs:anyURI"/>
	
	<xs:element name="ClaimedIdentity">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="Name" type="saml:NameIdentifierType"/>
				<xs:element name="SupportingInfo" type="dss:DSSAnyType"           
							minOccurs="0"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>

	
	<xs:element name="Language" type="xs:language"/>
	
	<xs:element name="AdditionalProfile" type="xs:anyURI"/>
	
	<!-- COMMON PROTOCOL STRUCTURES -->

	<!-- PROTOCOL MESSAGES BEGIN -->

 	<xs:element name="SignRequest">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="OptionalInputs" type="dss:SignRequestOptionalInputs" minOccurs="0"/>
				<xs:element ref="dss:InputDocuments"/>
			</xs:sequence>
			<xs:attribute name="RequestID" type="xs:string" use="optional"/>
			<xs:attribute name="Profile" type="xs:anyURI" use="optional"/>			
		</xs:complexType>
	</xs:element>	
	
	<xs:element name="SignResponse">
		<xs:complexType>
			<xs:sequence>
				<xs:element ref="dss:Result"/>
				<xs:element name="OptionalOutputs" type="dss:SignResponseOptionalOutputs" minOccurs="0"/>
				<xs:element ref="dss:SignatureObject" minOccurs="0"/>
			</xs:sequence>
			<xs:attribute name="RequestID" type="xs:string" use="optional"/>
			<xs:attribute name="Profile" type="xs:anyURI" use="required"/>
		</xs:complexType>
	</xs:element>
	
	<xs:element name="VerifyRequest">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="OptionalInputs" type="dss:VerifyRequestOptionalInputs" minOccurs="0"/>
				<xs:element ref="dss:SignatureObject" minOccurs="0"/>
				<xs:element ref="dss:InputDocuments" minOccurs="0"/>
			</xs:sequence>
			<xs:attribute name="RequestID" type="xs:string" use="optional"/>
			<xs:attribute name="Profile" type="xs:anyURI" use="optional"/>
		</xs:complexType>
	</xs:element>

	<xs:element name="VerifyResponse">
		<xs:complexType>
			<xs:sequence>
				<xs:element ref="dss:Result"/>
				<xs:element name="OptionalOutputs" type="dss:VerifyResponseOptionalOutputs" minOccurs="0"/>
			</xs:sequence>
			<xs:attribute name="RequestID" type="xs:string" use="optional"/>
			<xs:attribute name="Profile" type="xs:anyURI" use="required"/>			
		</xs:complexType>
	</xs:element>
	
	<!-- PROTOCOL MESSAGES END -->	
	
  <!-- SIGNREQUEST OPTIONAL INPUTS START -->
  <!-- SignRequestOptionalInputs Type START -->
  <xs:complexType name="SignRequestOptionalInputs">
    <xs:sequence>
      <xs:choice minOccurs="1" maxOccurs="unbounded">
        <xs:element name="SignatureType" type="xs:anyURI"/>
        <xs:element name="AddTimestamp">
          <xs:complexType>
            <xs:attribute name="Type" type="xs:anyURI" use="optional"/>
          </xs:complexType>
        </xs:element>
        <xs:element name="IntendedAudience">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="Recipient" type="saml:NameIdentifierType" maxOccurs="unbounded"/>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="KeySelector">
          <xs:complexType>
            <xs:choice>
              <!-- <xs:element ref="ds:KeyInfo"/> -->
              <xs:element ref="dss:XMLKeyInfo"/>
              <xs:any namespace="##other" processContents="lax"/>
            </xs:choice>
          </xs:complexType>
        </xs:element>
        <xs:element name="SignedReferences">
          <xs:complexType>
            <xs:sequence>
              <xs:element ref="dss:SignedReference" maxOccurs="unbounded"/>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="Properties">
          <xs:complexType>
            <xs:sequence>
              <xs:element name="SignedProperties" type="dss:PropertiesType" minOccurs="0"/>
              <xs:element name="UnsignedProperties" type="dss:PropertiesType" minOccurs="0"/>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:element name="SignaturePlacement">
          <xs:complexType>
            <xs:choice>
              <xs:element name="XPathAfter" type="xs:string"/>
              <xs:element name="XPathFirstChildOf" type="xs:string"/>
            </xs:choice>
            <xs:attribute name="WhichDocument" type="xs:IDREF"/>
          </xs:complexType>
        </xs:element>
        <xs:element name="EnvelopingSignature">
          <xs:complexType>
            <xs:attribute name="WhichDocument" type="xs:IDREF"/>
            <xs:attribute name="ObjId" type="xs:string" use="optional"/>
          </xs:complexType>
        </xs:element>
        <xs:any namespace="##other" processContents="lax"/>
      </xs:choice>
    </xs:sequence>
  </xs:complexType>
  <!-- SignRequestOptionalInputs Type END -->  
  <xs:element name="Property">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="Identifier" type="xs:anyURI"/>
        <xs:element name="Value" type="dss:DSSAnyType" minOccurs="0"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:complexType name="PropertiesType">
    <xs:sequence>
      <xs:element ref="dss:Property" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
	<xs:element name="XMLKeyInfo">
		<xs:complexType>
			<xs:sequence>
  				<xs:element ref="ds:KeyInfo"/>
			</xs:sequence>
		</xs:complexType>
	</xs:element>
  <xs:element name="SignedReference">
    <xs:complexType>
      <xs:sequence>
        <xs:element ref="ds:Transforms" minOccurs="0"/>
      </xs:sequence>
      <xs:attribute name="WhichDocument" type="xs:IDREF" use="required"/>
      <xs:attribute name="RefId" type="xs:string" use="optional"/>
    </xs:complexType>
  </xs:element>
  <!-- SIGNREQUEST OPTIONAL INPUTS END -->
	
  <!-- SIGNRESPONSE OPTIONAL OUTPUTS START -->
  <xs:complexType name="SignResponseOptionalOutputs">
    <xs:sequence>
      <xs:choice minOccurs="1" maxOccurs="unbounded">
        <xs:element name="DocumentWithSignature">
          <xs:complexType>
            <xs:sequence>
              <xs:element ref="dss:Document"/>
            </xs:sequence>
          </xs:complexType>
        </xs:element>
        <xs:any namespace="##other" processContents="lax"/>
      </xs:choice>
    </xs:sequence>
  </xs:complexType>
  <!-- SIGNRESPONSE OPTIONAL OUTPUTS END -->
	
	<!-- VERIFYREQUEST OPTIONAL INPUTS START -->
	
  <xs:complexType name="VerifyRequestOptionalInputs">
    <xs:sequence>
      <xs:choice minOccurs="0" maxOccurs="unbounded">
		<xs:element name="VerifyManifests"/>
		<xs:element name="VerificationTime" type="xs:dateTime"/>
		<xs:element name="AdditionalKeyInfo">
			<xs:complexType>
				<xs:sequence>
					<xs:element ref="ds:KeyInfo"/>
				</xs:sequence>
			</xs:complexType>	
		</xs:element>
		<xs:element name="ReturnProcessingDetails"/>
		<xs:element name="ReturnSigningTime"/>
		<xs:element name="ReturnTimestampTime"/>
		<xs:element name="ReturnSignerIdentity"/>
		<xs:element name="ReturnUpdatedSignature">
			<xs:complexType>
				<xs:attribute name="Type" type="xs:anyURI" use="optional"/>
			</xs:complexType>
		</xs:element>
		<xs:element name="ReturnTransformedDocument">
			<xs:complexType>
				<xs:attribute name="WhichReference" type="xs:integer" use="required"/>
			</xs:complexType>
		</xs:element>
        <xs:any namespace="##other" processContents="lax"/>
      </xs:choice>
    </xs:sequence>
  </xs:complexType>
	
	<!-- VERIFYREQUEST OPTIONAL INPUTS END -->
	
	<!-- VERIFYRESPONSE OPTIONAL OUTPUTS START -->
	<!-- VerifyResponseOptionalOutputs START-->
  <xs:complexType name="VerifyResponseOptionalOutputs">
    <xs:sequence>
      <xs:choice minOccurs="1" maxOccurs="unbounded">
		<xs:element name="ProcessingDetails">
			<xs:complexType>
				<xs:sequence>
					<xs:element name="ValidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/>
					<xs:element name="IndeterminateDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/>
					<xs:element name="InvalidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/>
				</xs:sequence>
		  </xs:complexType>
		</xs:element>
		<xs:element name="SigningTime">
			<xs:complexType>
				<xs:simpleContent>
					<xs:extension base="xs:dateTime">
						<xs:attribute name="ThirdPartyTimestamp" type="xs:boolean" use="required"/>
					</xs:extension>
				</xs:simpleContent>
			</xs:complexType>
		</xs:element>	
		<xs:element name="TimestampTime" type="xs:dateTime"/>
		<xs:element name="SignerIdentity" type="saml:NameIdentifierType"/>
		<xs:element name="UpdatedSignature">
			<xs:complexType>
				<xs:sequence>
					<xs:element ref="dss:SignatureObject"/>
				</xs:sequence>			
				<xs:attribute name="Type" type="xs:anyURI" use="optional"/>
			</xs:complexType>
		</xs:element>		
		<xs:element name="TransformedDocument">
			<xs:complexType>
				<xs:sequence>
					<xs:element ref="dss:XMLData"/>
				</xs:sequence>
				<xs:attribute name="WhichReference" type="xs:integer" use="required"/>			
			</xs:complexType>	
		</xs:element>
        <xs:any namespace="##other" processContents="lax"/>
      </xs:choice>
    </xs:sequence>
  </xs:complexType>
	<!-- VerifyResponseOptionalOutputs END -->
	<xs:complexType name="DetailType">
			<xs:sequence>
				<xs:element name="Code" type="xs:anyURI" minOccurs="0"/>
				<xs:element name="Message" type="dss:InternationalStringType" minOccurs="0"/>
				<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs ="unbounded"/>
			</xs:sequence>		
			<xs:attribute name="Type" type="xs:anyURI" use="required"/>
	</xs:complexType>
	<!-- VERIFYRESPONSE OPTIONAL OUTPUTS END -->
		
	<!-- TIMESTAMP BEGIN -->	

	<xs:element name="Timestamp">
		<xs:complexType>
			<xs:choice>  
<!--				<xs:element ref="ds:Signature"/> -->
                <xs:element ref="dss:XMLSignature"/> 
				<xs:element name="RFC3161TimeStampToken" type="xs:base64Binary"/>
				<xs:any namespace="##other" processContents="lax"/>
			</xs:choice>		
		</xs:complexType>   
	</xs:element>
	
	<xs:element name="TstInfo">
		<xs:complexType>
			<xs:sequence>
				<xs:element name="SerialNumber" type="xs:integer"/>
				<xs:element name="CreationTime" type="xs:dateTime"/>
				<xs:element name="Policy" type="xs:anyURI" minOccurs="0"/>
				<xs:element name="ErrorBound" type="xs:duration" minOccurs="0"/>
				<xs:element name="Ordered" type="xs:boolean" default="false" minOccurs="0"/>
				<xs:element name="TSA" type="saml:NameIdentifierType" minOccurs="0"/>
			</xs:sequence>				
		</xs:complexType>
	</xs:element>

	<!-- TIMESTAMP END -->

	<!-- REQUESTER IDENTITY BEGIN -->
	
	<xs:element name="RequesterIdentity">
	    <xs:complexType>
	        <xs:sequence>
	            <xs:element name="Name" type="saml:NameIdentifierType"/>
	            <xs:element name="SupportingInfo" type="dss:DSSAnyType" minOccurs="0"/>
	        </xs:sequence>
	    </xs:complexType>
	</xs:element>	
	
	<!-- REQUESTER IDENTITY END -->
	
</xs:schema>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]