[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [Fwd: [dss] More on EnvelopingSignature]
Dear Ed,
you make good points in your Scenarios,
though I have a different view on how they
should be dealt with.
In short to simplify things I'd suggest:
dss:DocumentBaseType's RefURI should always go into the URI
of ds:Reference in the resulting Signature, if it does not
resolve properly it's clients responsibility and signature
generation will fail.
EnevelopingSignature should be renamed to ObjectsToEnvelop
<dss:ObjectsToEnvelop>
<dss:ObjectToEnvelop WhichDocument="doc1" ObjId="dsObjIdA">
<dss:ObjectToEnvelop WhichDocument="doc2" ObjId="dsObjIdB">
<dss:ObjectToEnvelop WhichDocument="doc3" ObjId="dsObjIdC">
</dss:ObjectsToEnvelop>
dss:ObjectToEnvelop's ObjId should always go into <ds:Object Id="...">
if it is omitted it should be omitted (i.e. <ds:Object>). Then the
client can
use dss:DocumentBaseType's RefURI to reference the content.
Further points:
We'd have to restrict that an InputDocument cannot be referenced by
WhichDocument
of dss:ObjectToEnvelop and dss:SignaturePlacement at the same time as
this would
require the generation of two different ds:References with different
URI's, but
DocumentBaseType has only one RefURI which is in contradiction to the
previous
claim.
If the client however wants to envelop a document and place the
signature somewhere
into the "same" document, the document has to be sent twice once having
the RefURI="#dsObjectId"
and having the same document RefURI="" (or at least a "reference only"
URI for some rare cases).
Further we'd have to restrict that if a dss:SignaturePlacement points to
an input Document client
side Transforms are not allowed for this document, because the client
does not have the complete
DOM Tree (i.e. the Resulting Signature and Objects are missing).
An Example (please forgive me minor mistakes as this example is compiled
by hand):
(see also the attached Schema
"oasis-dss-1.0-core-schema-wd-30c-suggestion1.xsd")
<dss:SignRequest
xmlns:dss="oasis-dss-1.0-core-schema-wd-30c-suggestion1.xsd"
RequestID="ReqId">
<dss:OptionalInputs>
<dss:SignatureType>urn:ietf:rfc:3275</dss:SignatureType>
<dss:ObjectsToEnvelop>
<dss:ObjectToEnvelop WhichDocument="Doc1">
<dss:ObjectToEnvelop WhichDocument="Doc2" ObjId="ObjIdA">
<dss:ObjectToEnvelop WhichDocument="Doc3">
<dss:ObjectToEnvelop WhichDocument="Doc5" ObjId="ObjIdC">
</dss:ObjectsToEnvelop>
<dss:SignedReferences>
<dss:SignedReference WhichDocument="Doc1" RefId="RefId1">
<dss:SignedReference WhichDocument="Doc2" RefId="RefId2">
<dss:SignedReference WhichDocument="Doc3" RefId="RefId3">
<dss:SignedReference WhichDocument="Doc4" RefId="RefId4">
</dss:SignedReferences>
<dss:SignaturePlacement WhichDocument="Doc4">
<dss:XPathFirstChildOf>./Root/Child3</dss:XPathFirstChildOf>
</dss:SignaturePlacement>
</dss:OptionalInputs>
<dss:InputDocuments>
<dss:Document ID="Doc1" RefURI="#Child1Id">
<dss:XMLData>
<ns1:Root xmlns:ns1="http://ns.com#ns1"; xmlns:ns2="http://ns.com#ns2";>
<ns1:Child1 Id="Child1Id">child1 content</ns1:Child1>
<ns2:Child2>
<ns1:Child21>child21 content</ns1:Child21>
<ns1:Child22>child22 content</ns1:Child22>
</ns2:Child2>
<ns2:Child3>
<ns2:Child31>child31 content</ns2:Child31>
<ns2:Child32>child32 content</ns2:Child32>
</ns2:Child3>
</ns1:Root>
</dss:XMLData>
</dss:Document>
<dss:Document ID="Doc2" RefURI="#data">
<dss:XMLData>
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ ID="data"/>
</ns1:XYZ>
</dss:XMLData>
</dss:Document>
<dss:Document ID="Doc3" RefURI="#xpointer(ID('data1'))">
<dss:XMLData>
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ Id="data1">
Text and <!-- Comments -->
</ns1:XYZ>
</ns1:XYZ>
</dss:XMLData>
</dss:Document>
<dss:Document ID="Doc4" RefURI="">
<dss:XMLData>
<ns1:Root xmlns:ns1="http://ns.com#ns1"; xmlns:ns2="http://ns.com#ns2";>
<ns1:Child1 Id="Child1Id">child1 content</ns1:Child1>
<ns2:Child2>
<ns1:Child21>child21 content</ns1:Child21>
<ns1:Child22>child22 content</ns1:Child22>
</ns2:Child2>
<ns2:Child3>
<ns2:Child31>child31 content</ns2:Child31>
<ns2:Child32>child32 content</ns2:Child32>
</ns2:Child3>
</ns1:Root>
</dss:XMLData>
</dss:Document>
<dss:Document ID="Doc5" RefURI="#xpointer(ID('dsObjIdC'))/XYZ/XYZ">
<dss:XMLData>
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ/>
</ns1:XYZ>
</dss:XMLData>
</dss:Document>
</dss:InputDocuments>
</dss:SignRequest>
Should Produce a Result like:
<?xml version="1.0" encoding="UTF-8"?>
<SignResponse xmlns="oasis-dss-1.0-core-schema-wd-30c-suggestion1.xsd"
RequestID="ReqId">
<Result>
<ResultMajor>urn:oasis:names:tc:dss:1.0:resultmajor:Success</ResultMajor>
<ResultMessage xml:lang="en">SignRequest for EnvelopedSignature
processed successfully</ResultMessage>
</Result>
<OptionalOutputs>
<DocumentWithSignature>
<Document>
</XMLData>
<ns1:Root xmlns:ns1="http://ns.com#ns1"; xmlns:ns2="http://ns.com#ns2";>
<ns1:Child1>child1 content</ns1:Child1>
<ns2:Child2>
<ns1:Child21>child21 content</ns1:Child21>
<ns1:Child22>child22 content</ns1:Child22>
</ns2:Child2>
<ns2:Child3>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="..."/>
<SignatureMethod Algorithm="..."/>
<Reference Id="RefId1" URI="#Child1Id">
<Transforms>
<Transform Algorithm="..."/>
</Transforms>
<DigestMethod Algorithm="..."/>
<DigestValue>...=</DigestValue>
</Reference>
<Reference Id="RefId2" URI="#data">
<Transforms>
<Transform Algorithm="..."/>
</Transforms>
<DigestMethod Algorithm="..."/>
<DigestValue>...=</DigestValue>
</Reference>
<Reference Id="RefId3" URI="#xpointer(ID('data1'))">
<Transforms>
<Transform Algorithm="..."/>
</Transforms>
<DigestMethod Algorithm="..."/>
<DigestValue>...=</DigestValue>
</Reference>
<Reference Id="RefId4" URI="">
<Transforms>
<Transform Algorithm="..EnvelopedTransform.."/>
</Transforms>
<DigestMethod Algorithm="..."/>
<DigestValue>...=</DigestValue>
</Reference>
<Reference Id="RefId5" URI="#xpointer(ID('dsObjIdC'))/XYZ/XYZ">
<Transforms>
<Transform Algorithm="..."/>
</Transforms>
<DigestMethod Algorithm="..."/>
<DigestValue>...=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...==</SignatureValue>
<Object>
<ns1:Root xmlns:ns1="http://ns.com#ns1"; xmlns:ns2="http://ns.com#ns2";>
<ns1:Child1 Id="Child1Id">child1 content</ns1:Child1>
<ns2:Child2>
<ns1:Child21>child21 content</ns1:Child21>
<ns1:Child22>child22 content</ns1:Child22>
</ns2:Child2>
<ns2:Child3>
<ns2:Child31>child31 content</ns2:Child31>
<ns2:Child32>child32 content</ns2:Child32>
</ns2:Child3>
</ns1:Root>
</Object>
<Object Id="ObjIdA">
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ ID="data"/>
</ns1:XYZ>
</Object>
<Object>
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ Id="data1">
Text and <!-- Comments -->
</ns1:XYZ>
</ns1:XYZ>
</Object>
<Object Id="ObjIdC">
<ns1:XYZ xmlns:ns1="http://ns.com#ns1";>
<ns1:XYZ/>
</ns1:XYZ>
</Object>
</Signature>
<ns2:Child31>child31 content</ns2:Child31>
<ns2:Child32>child32 content</ns2:Child32>
</ns2:Child3>
</ns1:Root></XMLData>
</Document>
</DocumentWithSignature>
</OptionalOutputs>
</SignResponse>
best regards
Konrad
P.S.: Further comments please see below.
Edward Shallow schrieb:
> Scenario 1:
> Client passes in ...
> <bookOrder> ... </bookOrder>
> ... and dss:EnvelopingSignature/No ObjId
>
> Server can either a)reject because No ObjId attr present in request, or
In this case I think a) is correct.
> b)it can unilaterally add a Reference URI and a matching Id attr e.g.
> <bookOrder
> Id=content> and construct a node-set
> under a <ds:Object> and sign it. Pre-Digest would not contain
> ds:Object tags
I think b) is not a good Idea, because firstly one would have to change
content (data) and not framing and secondly doing so implies that the
content would have to have id attributes specified in it's schema, and
I don't think we have influence on what is specified in an input document's
schema (if any exists at all).
> Scenario 2:
> Client passes in ...
> <bookOrder> ... </bookOrder>
> ... and dss:EnvelopingSignature/ObjId=MyOrder
>
> Server follows instructions and adds Reference URI and Id attr (to
> bookOrder
> element not ds:Object I would wager)
One would have to change content again, and I'd rather not touch payload.
In this case I'd go for returning:
<ds:Object id="MyOrder">
<bookOrder>....</bookOrder>
</ds:Object>
inside the Signature and if the client properly used DocumentBaseType's
RefURI
signature generation will suceed otherwise it will fail.
> Scenario 3:
> Client passes in ...
> <bookOrder Id="MyOrder"> ... </bookOrder>
> ... and dss:EnvelopingSignature/ObjId=MyOrder
> Similar to Scenario 3 except that client included Id attr, server
> accepts it
> since it matches and is consistent
In this case I think dss:DocumentBaseType's RefURI should be either a
reference only
bare name URI like RefURI="#MyOrder" or to sign comments
RefURI="#xpointer(id('MyOrder'))".
The first means that comments are not signed but still returned inside
the ds:Object and
the latter means that comments are signed and returned inside the ds:Object.
However it could also be RefURI="#xpointer(id('MyOrder'))/Item[0]/isbn".
> Scenario 4:
> Client passes in ...
> <ds:Object Id="MyOrder">
> <bookOrder>...</bookOrder>
> </ds:Object>
> ... and dss:EnvelopingSignature/No ObjId
>
> Personally I would reject this since the client is trying to do our job by
> specifying signature-specific ds:Object framing
In this case (and possibly in any other) I think one should not
interpret payload and take it as it is.
So one should return:
<ds:Object>
<ds:Object Id="MyOrder">
<bookOrder>...</bookOrder>
</ds:Object>
</ds:Object>
inside the Signature, provided there is ds="http://foobar.demo#bart"; or
the like
in the InclusiveNamespacePrefix List for this InputDocument (i.e. it is
ancestry context free).
> Scenario 5
> Client passes in ...
> <ds:Object Id="MyOrder">
> <bookOrder>
> <item>
> <title>XML and Digital Signatures</title>
> <isbn>0-201-48543-5</isbn>
> <quantity>1</quantity>
> <price unit="USD">39.95</price>
> </item>
> </bookOrder>
> </ds:Object>
>
> ... and dss:EnvelopingSignature/ObjId=MyOrder
>
>
> Personally I would reject this as well, in fact why not reject any thing
> that attempts framing with the ds:Object ?
<ds:Object Id="MyOrder">
<ds:Object Id="MyOrder">
<bookOrder>...</bookOrder>
</ds:Object>
</ds:Object>
Is invalid anyway.
> Additionally, should not EnvelopingSignature restrict InputDocuments to 1
> for clarity ?
How about Signatures having more than one ds:Object?
> [...]
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30c.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" targetNamespace="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-30c.xsd"; elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <xs:import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-protocol-1.1.xsd"/> <xs:import namespace="http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/> <!-- COMMON PROTOCOL STRUCTURES --> <xs:complexType name="AnyType"> <xs:sequence> <!-- TODO check whether minOccurs="0" should be allowed --> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:group name="ExtensionGroup"> <xs:sequence> <xs:any namespace="##other" processContents="lax"/> </xs:sequence> </xs:group> <xs:complexType name="InternationalStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute ref="xml:lang"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:element name="InputDocuments"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="dss:Document"/> <xs:element ref="dss:DocumentHash"/> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="DocumentBaseType" abstract="true"> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> <xs:attribute name="RefURI" type="xs:anyURI" use="optional"/> <xs:attribute name="RefType" type="xs:anyURI" use="optional"/> </xs:complexType> <xs:element name="Document"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:choice> <xs:element ref="dss:XMLData"/> <xs:element ref="dss:Base64Data"/> </xs:choice> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="XMLData" type="dss:AnyType"/> <xs:element name="Base64Data"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="MimeType" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="DocumentHash"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:sequence> <xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <xs:element name="SignatureObject"> <xs:complexType> <xs:sequence> <xs:choice> <!-- <xs:element ref="ds:Signature"/> --> <xs:element ref="dss:XMLSignature"/> <xs:element ref="dss:Timestamp"/> <xs:element ref="dss:Base64Signature"/> <xs:element ref="dss:SignaturePtr"/> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="XMLSignature"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Signature"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Base64Signature"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="Type" type="xs:anyURI"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="SignaturePtr"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="XPath" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Result"> <xs:complexType> <xs:sequence> <xs:element name="ResultMajor" type="xs:anyURI"/> <xs:element name="ResultMinor" type="xs:anyURI" minOccurs="0"/> <xs:element name="ResultMessage" type="dss:InternationalStringType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- TODO get rid of this --> <!-- <xs:element name="OptionalInputs" type="dss:AnyType"/> --> <!-- TODO get rid of this --> <!-- <xs:element name="OptionalOutputs" type="dss:AnyType"/> --> <xs:element name="ServicePolicy" type="xs:anyURI"/> <xs:element name="ClaimedIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Language" type="xs:language"/> <xs:element name="AdditionalProfile" type="xs:anyURI"/> <!-- COMMON PROTOCOL STRUCTURES --> <!-- PROTOCOL MESSAGES BEGIN --> <xs:element name="SignRequest"> <xs:complexType> <xs:sequence> <xs:element name="OptionalInputs" type="dss:SignRequestOptionalInputs" minOccurs="0"/> <xs:element ref="dss:InputDocuments"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="SignResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element name="OptionalOutputs" type="dss:SignResponseOptionalOutputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <xs:element name="VerifyRequest"> <xs:complexType> <xs:sequence> <xs:element name="OptionalInputs" type="dss:VerifyRequestOptionalInputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> <xs:element ref="dss:InputDocuments" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="VerifyResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element name="OptionalOutputs" type="dss:VerifyResponseOptionalOutputs" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- PROTOCOL MESSAGES END --> <!-- SIGNREQUEST OPTIONAL INPUTS START --> <!-- SignRequestOptionalInputs Type START --> <xs:complexType name="SignRequestOptionalInputs"> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element name="SignatureType" type="xs:anyURI"/> <xs:element name="AddTimestamp"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="IntendedAudience"> <xs:complexType> <xs:sequence> <xs:element name="Recipient" type="saml:NameIdentifierType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="KeySelector"> <xs:complexType> <xs:choice> <!-- <xs:element ref="ds:KeyInfo"/> --> <xs:element ref="dss:XMLKeyInfo"/> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:complexType> </xs:element> <xs:element name="SignedReferences"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignedReference" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Properties"> <xs:complexType> <xs:sequence> <xs:element name="SignedProperties" type="dss:PropertiesType" minOccurs="0"/> <xs:element name="UnsignedProperties" type="dss:PropertiesType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignaturePlacement"> <xs:complexType> <xs:choice> <xs:element name="XPathAfter" type="xs:string"/> <xs:element name="XPathFirstChildOf" type="xs:string"/> </xs:choice> <xs:attribute name="WhichDocument" type="xs:IDREF"/> </xs:complexType> </xs:element> <xs:element name="ObjectsToEnvelop"> <xs:complexType> <xs:sequence> <xs:element ref="dss:ObjectToEnvelop" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- SignRequestOptionalInputs Type END --> <xs:element name="Property"> <xs:complexType> <xs:sequence> <xs:element name="Identifier" type="xs:anyURI"/> <xs:element name="Value" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="PropertiesType"> <xs:sequence> <xs:element ref="dss:Property" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="XMLKeyInfo"> <xs:complexType> <xs:sequence> <xs:element ref="ds:KeyInfo"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignedReference"> <xs:complexType> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> </xs:sequence> <xs:attribute name="WhichDocument" type="xs:IDREF" use="required"/> <xs:attribute name="RefId" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ObjectToEnvelop"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="ObjId" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- SIGNREQUEST OPTIONAL INPUTS END --> <!-- SIGNRESPONSE OPTIONAL OUTPUTS START --> <xs:complexType name="SignResponseOptionalOutputs"> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element name="DocumentWithSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Document"/> </xs:sequence> </xs:complexType> </xs:element> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- SIGNRESPONSE OPTIONAL OUTPUTS END --> <!-- VERIFYREQUEST OPTIONAL INPUTS START --> <xs:complexType name="VerifyRequestOptionalInputs"> <xs:sequence> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="VerifyManifests"/> <xs:element name="VerificationTime" type="xs:dateTime"/> <xs:element name="AdditionalKeyInfo"> <xs:complexType> <xs:sequence> <xs:element ref="ds:KeyInfo"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ReturnProcessingDetails"/> <xs:element name="ReturnSigningTime"/> <xs:element name="ReturnTimestampTime"/> <xs:element name="ReturnSignerIdentity"/> <xs:element name="ReturnUpdatedSignature"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="ReturnTransformedDocument"> <xs:complexType> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- VERIFYREQUEST OPTIONAL INPUTS END --> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS START --> <!-- VerifyResponseOptionalOutputs START--> <xs:complexType name="VerifyResponseOptionalOutputs"> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element name="ProcessingDetails"> <xs:complexType> <xs:sequence> <xs:element name="ValidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="IndeterminateDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="InvalidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SigningTime"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:dateTime"> <xs:attribute name="ThirdPartyTimestamp" type="xs:boolean" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TimestampTime" type="xs:dateTime"/> <xs:element name="SignerIdentity" type="saml:NameIdentifierType"/> <xs:element name="UpdatedSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignatureObject"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <xs:element name="TransformedDocument"> <xs:complexType> <xs:sequence> <xs:element ref="dss:XMLData"/> </xs:sequence> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:sequence> </xs:complexType> <!-- VerifyResponseOptionalOutputs END --> <xs:complexType name="DetailType"> <xs:sequence> <xs:element name="Code" type="xs:anyURI" minOccurs="0"/> <xs:element name="Message" type="dss:InternationalStringType" minOccurs="0"/> <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="required"/> </xs:complexType> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS END --> <!-- TIMESTAMP BEGIN --> <xs:element name="Timestamp"> <xs:complexType> <xs:choice> <!-- <xs:element ref="ds:Signature"/> --> <xs:element ref="dss:XMLSignature"/> <xs:element name="RFC3161TimeStampToken" type="xs:base64Binary"/> <xs:group ref="dss:ExtensionGroup"/> </xs:choice> </xs:complexType> </xs:element> <xs:element name="TstInfo"> <xs:complexType> <xs:sequence> <xs:element name="SerialNumber" type="xs:integer"/> <xs:element name="CreationTime" type="xs:dateTime"/> <xs:element name="Policy" type="xs:anyURI" minOccurs="0"/> <xs:element name="ErrorBound" type="xs:duration" minOccurs="0"/> <xs:element name="Ordered" type="xs:boolean" default="false" minOccurs="0"/> <xs:element name="TSA" type="saml:NameIdentifierType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- TIMESTAMP END --> <!-- REQUESTER IDENTITY BEGIN --> <xs:element name="RequesterIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- REQUESTER IDENTITY END --> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]