[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Way Forward on Basic Processing in terms of EnvelopedSignatures,ds:Objects (EnvelopingSignatures), client-side splicing plus client-sidetransforms.
Hi Trevor and all,
Trevor Perrin wrote:
> [...]
> a) making this a typical optional input, i.e. not part of basic
> processing
> b) making this a fundamental part of the protocol, i.e. not an
> optional input
>
> Since you intend profiles to choose it or not, I suggest (a).
Thanks for bringing this up, this is a crucial point however we have to
think this through and I think the right answer might be somewhere in
between.
Executive Summary:
Please read Question I (QI ) and Answer III (QI AIII), (QII) (QII AII),
(QIII AII) and (QIV) (QIV AI) to see my suggestion.
Detailed Discussion:
If in basic processing a <dss:Document> with a same-document Uri appears
a XMLSig implementation will have to be able to dereference the data
there (i.e. in the same-document and its context), so we might have to
ask for further information. If also <dss:IncludeObject> (or
<dss:SignaturePlacement> in the case of RefURI="") is pointing to the
<dss:Document> in question we do not have a problem and we can
understand this request to include the the content of <dss:Document> in
question as a <ds:Object> (or we create an EnvelopedSignature in the
case of SignaturePlacement plus RefURI="").
(Q I)
The interesting question now is: Does the same-document Uri imply that
there also has to be a <dss:IncludeObject>( or a
<dss:SignaturePlacement>) and hence a <ds:Object> has to be
embedded/spliced (or an EnvelopedSignature has to be created)?
(QI AI)
An answer could be yes and we hence have to prohibit same-document Uris
for basic processing and say they MUST have been consumed by optional
inputs <dss:IncludeObject> or <dss:SignaturePlacement> already and go
for a). This however would imply that only DetachedSignatures would be
created by basic processing.
(QI AII)
Or same-document Uris are allowed for basic processing and we move
towards b) and say <dss:IncludeObject> or <dss:SignaturePlacement> are
included as fundamental inputs in the basic processing and hence allow
the full plurality of possible signatures (e.g. an enveloped signature
with <ds:Objects>) in basic processing.
(QI AIII)
Basic processing supports same-document Uris as well as others but in
the case of a same-document URI processing has to be overridden by
<dss:IncludeObject> or <dss:SignaturePlacement> plus server side
splicing as the safe default behavior for the core.
(I.e. If a same document Uri appears that has not been dealt with
already by an optional input we'll throw an error, as we cannot
dereference it without having done the splicing beforehand).
Alternatively this can be overridden by client-side splicing
(potentially plus client-side transforms) by using an
<dss:AdditionalProfile>, which prohibits the optional inputs
<dss:IncludeObject> and <dss:SignaturePlacement> and defines that the
<dss:Documents> having same-document references and are assured to be
dereference able at the server side. Also the client server distribution
of transforms and parsing that are used have to have properties as
required and discussed in the thread (Trevors comments in [dss] Core
spec: client-side transforms, etc... ) plus others more yet to be discussed.
(QII)
Another question is about one special case we also should not forget
about: What if a client wishes to have a document with a signature in
it, having one ore more references with same-document Uris pointing to
some arbitrary NodeSets within this very same document? How do we
communicate these RefURIs.
(QII AI)
An answer could be that we do not support that.
(QII AII)
We should extend SignedReference to also have an optional RefURI
attribute for same-document references in combination with the
WhichDocument overriding the RefURI of <dss:Document>. Or in the case of
external-Uris allowing to omit the WhichDocument attribute that the
server can try to retrieve the document from the Internet via http/https
or so.
This allows us now to answer Question I with yes in any circumstance,
and every same-document Uri of <dss:Document> is now either (Ref="" or
Ref=null) in combination with SignaturePlacement or for a <ds:Object>.
If this was not true the client would have sent a SignedReference having
the optional RefURI attribute set to a same-document reference in
combination with the WhichDocument.
> I also suggest not deleting the current text about client-side
> splicing, but adding qualifications (e.g., that it can be used for
> <DocumentHash>, or with servers that do not normalize inputs).
This is a good point and I think that client-side splicing should still
be a crucial part of dss provided that we issue appropriate warnings and
that it is not the default behavior.
(QIII)
How does client-side splicing now fit in?
(QIII AI)
We could add an optional Input to the core and explain the issues with
client side splicing there, which might a add considerable amount of text.
<xs:element name="ClientSideSplicing">
<xs:complexType>
<xs:attribute name="spliceDsObjects" type="xs:boolean"
default="false"/>
<xs:attribute name="spliceEnvelopedDsSignature"
type="xs:boolean" default="false"/>
</xs:complexType>
</xs:element>
(QIII AII)
We should support client side splicing in a profile defining the element
above to be included by using <dss:AdditionalProfile>
plus using the ClientSideSplicing as optional input and clearly state
that we recommend core implementations to also implement this profile.
(QIV)
Should we still call <dss:IncludeObject>, <dss:SignaturePlacement> and
<dss:SignedReference> optional Input.
(QIV AI)
yes, but require basic processing to use them in the case of
same-document Uris.
(QIV AII)
no.
best regards
Konrad
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]