some final polishing of WD40 (the next bit from line 1089 to 1678)

[Konrad Lanz <Konrad.Lanz@labs.cio.gv.at>]

Hi Stefan and all

Some more points. Especially fix ALL the cross references and the 
references at the end.

I hope that's it for the second part and we are done.

best regards
Konrad

some final polishing for
http://www.oasis-open.org/apps/org/workgroup/dss/download.php/17296/oasis-dss-1.0-core-spec-wd-40.pdf

* Remove several empty lines e.g 1181, 1195, 1223, 1274, 1284, 1316, 
1317, 1346, 1569, etc ... Use line spacing where extra space between 
lines is necessary.
* Line 1196 - 1211 Check font for <IncludeObject>, <ds:Object>, 
<dss:Base64Data> etc ...
* Lines 1229 - 1231: Change to: This <Document> MUST include a 
"same-document" RefURI attribute which references the data to be signed 
E.g: RefURI="", RefURI="#xpointer('/')" ( RefURI="#xpointer(%27%2F%27)" ).

Also add a reference to section 4.2. Same-document References [RFC 2396] 
or 4.4.  Same-Document Reference [RFC 3986] 
http://www.ietf.org/rfc/rfc3986.txt.
* Lines 1233 - 1236
change to

In the case of a non-XML input document then the server issues a 
RequesterError qualified by NotParseableXMLDocument.
When <XpathAfter> and <XpathFirstChildOf> are both omitted, the server 
places the signature in the input document in accordance with procedures 
defined in a profile or as part of the server policy otherwise it 
default to placing it as first child of the document element.
* Line 1309: Make a reference to  6.6.3 XPath Filtering [XMLSig] 
(http://www.w3.org/TR/xmldsig-core/#function-here)

*Line 1342: Add a note:
Note: This is incompatible with <DocumentHash> and if used with 
<TransformedData> the last transform of <TransformedData> MUST be c14n 
otherwise a RequesterError must be thrown qualified by a result minor 
NotSupported.

* Line 1440: change to : The <VerifyResponse> inherits from 
<dss:ResponseBaseType> and defines no additional attributes and elements.

* Line 1455: Check font of <Base64XML> and <EscapedXML>.
* Line 1461: change Error to RequesterError

* Lines 1501 - 1513: When JC and myself wrote this we did not quite get 
the English smooth : May I kindly ask you Nick to enhance the language 
here a little bit?

Note: The extraction of the <ds:Signature> from the <SignatureObject> 
should be performed without namespace inheritance and without attribute 
inheritance. If the signature <ds:Signature> does not use exclusive 
canonicalization as it's <ds:CanonicalizationMethod> problems can appear 
caused by namespace declarations moved by gateways or protocol 
processors of outer protocol bindings that alter the
signature object and cause false negatives on validation.

More problems appear due to different behavior of xml parsers in schema 
validating parsing vs. non-validating parsing. Things like datatype
normalizations would have to be healed by canonicalization solely as no 
transforms are available for ds:SignedInfo.

Currently available specifications of canonicalization are not aware of
schema data types and a solution to heal these defects is currently not 
possible.

Beware, these problems can occur as soon as parsing the whole request 
including protocol bindings like SOAP.

Implementors are encouraged to make use of <dss:Base64XML> or <dss: 
EscapedXML> if problems and bandwidth limitations are not so crucial 
instead.
* Line 1541: DSS XAdES profile reference missing.

* Lines 1608 - 1609: 4.4 Result Codes: For Information with regard to 
Result Codes see above section 2.6 "Element <Result>".
Fix the cross references for 4.4.

* Line 1633 - 1644: Please fix the formatting.

* Lines 2115 - 2117: [RFC 2119] Check this reference as it seems to be 
wrong.

* Lines 1668 - End: I'll check them later