OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [Fwd: [dss] More on EnvelopingSignature]


Konrad,

>
> Good point, and I agree that the question should be: if client side 
> transforms make sense at all
> for input documents that go into ds:Objects or are used to place 
> Signatures inside them
> (i.e. dss:SignaturePlacement).

I agree...

> The more I think about that, I'd conclude that client side transforms 
> are only really useful for detached
> signatures without ds:Objects if we want to return verifiable signatures.

Mmmm...yes... for enveloped signatures you would actually expect to insert
the signature within the original document  not within the result of 
transforming one....

>
> Right, the client side would have to exchange the ds:Objects content 
> against the content that was
> there before the first client side transform to have a verifiable 
> signature.
>
I am not sure of understanding what you mean here... changing the 
ds:Object returned by the
server (if this is what you mean) would lead in certain situations to
failure of verification of the corresponding digest computed by the server,

> I think the same is also true for dss:SignaturePlacement assuming that 
> ds:Reference should be
> generated for an InputDocument pointed at by dss:SignaturePlacement.
>
Concerning to SignaturePlacement, if the requested signature is 
dettached, I still see as
a good feature to process some transformations in the client side and 
request other transformations
to the server... it is client's responsability to ensure that the server 
will be able to generate
verifiable signatures.


> However this might also be a feature and good for certain clients that 
> have tight bandwidth limitations
> and hence want to use client side transforms, but this should probably 
> go into a profile.
>
So, is your suggestion to put client-side capabilities for generating 
transformations on the documents
and report on them to the server, within a profile, even for the 
dettached signatures cases?

Juan Carlos.

> Konrad
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]