OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [dss] Way Forward on Basic Processing in terms of EnvelopedSignatures,ds:Objects (EnvelopingSignatures), client-side splicing plus client-sidetransforms.

Konrad Lanz wrote:
> Hi Trevor and all,
> 
> Trevor Perrin wrote:
> 
>> [...]
>>  a) making this a typical optional input, i.e. not part of basic 
>> processing
>>  b) making this a fundamental part of the protocol, i.e. not an 
>> optional input
>>
>> Since you intend profiles to choose it or not, I suggest (a).
> 
> 
> Thanks for bringing this up, this is a crucial point however we have to 
> think this through and I think the right answer might be somewhere in 
> between.
> 
> Executive Summary:
> Please read Question I (QI ) and Answer III (QI AIII), (QII) (QII AII), 
> (QIII AII) and (QIV) (QIV AI) to see my suggestion.

Okay, my suggestions below.

Basically, I think the changes to <EnvelopingSignature> are fine 
(renaming it to <IncludeObject>, adding 'hashObjectTagsAndAttributesSet').

However, I don't see the problem with client splicing that necessitates 
making <IncludeObject> part of basic processing, or demoting client 
splicing to a profile.

As I understand it, the "problem" is that servers might rewrite the 
client's XML before signing (without recording a <ds:Transformation>), 
thus clients would not be splicing with the correct XML.

However, that is bad server behavior.  So I think we should just add 
text to clarify that and leave things as-is.


> (Q I)
> The interesting question now is: Does the same-document Uri imply that 
> there also has to be a <dss:IncludeObject>( or a 
> <dss:SignaturePlacement>) and hence a <ds:Object> has to be 
> embedded/spliced (or an EnvelopedSignature has to be created)?

No.


> (QII)
> Another question is about one special case we also should not forget 
> about: What if a client wishes to have a document with a signature in 
> it, having one ore more references with same-document Uris pointing to 
> some arbitrary NodeSets within this very same document? How do we 
> communicate these RefURIs.

I don't understand this question.


> (QIII)
> How does client-side splicing now fit in?

Leave it where it is, with qualifications (that it can be used for 
<DocumentHash>; that it should not be used with profiles that rewrite 
inputs).


Trevor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]