[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] XML time-stamp processing text for time-stamp profile
Dear all, BTW with the XML timestamp definition in the core, have you considered to protect the TSA's signing certificate (as 3161 mandates for CMS timestamps) to avoid certificate replacement attacks?. I would include that in the <ds:SignedInfo>/<ds:Reference> (lines 1879-1882) <ds:SignedInfo>/<ds:Reference> [Required] There MUST be a single <ds:Reference> element whose URI attribute references the <ds:Object> containing the enveloped <TstInfo> element, and whose Type attribute is equal to urn:oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken. Kind regards, Carlos Carlos González-Cadenas Chief Security Officer netfocus Diagonal 188-198 Planta 2 08018 Barcelona tel: 902 303 393 fax: 902 303 394 gonzalezcarlos@netfocus.es www.netfocus.es -----Mensaje original----- De: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu] Enviado el: domingo, 14 de mayo de 2006 20:19 Para: 'OASIS DSS TC' Asunto: [dss] XML time-stamp processing text for time-stamp profile Dear all, Please find attached a proposal for details on text to be included within the time-stamp profile dealing with the basic processing for XML time-stamp for both SignRequest and VerifyRequest. I have taken the document of the profile, emptied all the sections and add what I think there should be the two new sections in order to facilitate the editor their inclusion in the final document. Nevertheless, I also copy below the text for facilitating comments in emails. New section 3.3 (section 3 corresponds to profile of Signing Protocol. The text gives details on how the server should proceed for generating a XML time-stamp. ------- 3.3 Processing for XML time-stamps If the <dss:SignatureType> content is “oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken” or when this element is not present and the server decides to generate a XML time-stamp, it MUST follow the rules established in the core for generating digital signatures (section 3.3 of [DSSCore]) with the changes mentioned below. The server MUST perform the following steps between steps 2 and 3 of [DSSCore] section 3.3.1: 2.a Generate a dss:TSTInfo element as defined in [DSSCore] section 5.1.2 with the suitable contents, and envelope it within a new ds:Object. 2.b Generate a new ds:Reference element referencing (explicitly or implicitly) the aforementioned ds:Object enveloping the TSTInfo. Set its “Type” attribute to “urn:oasis:names:tc:dss:1.0:core:schema:XMLTimeStampToken”. 2.c Insert this ds:Reference element within the ds:SignedInfo and the ds:Object element within the resulting ds:Signature element as mandated by [XMLSig] ---------------- New section 4.3. Section 4 corresponds to Verifying Protocol. The text gives details on how the server should proceed for verifying a XML time-stamp. ------------------ 4.3 Processing for XML time-stamps When receiving a dss:VerifyRequest requesting a XML time-stamp token verification the server MUST proceed as follows: 1. Extract the dss:TimeStamp element from the dss:SignatureObject element. 2. Proceed as indicated in section 4.3.2.2 steps 2 to 6 (both included) of [DSSCore]. This ensures that the arrived signature is a XML time-stamp as defined in [DSSCore] section 5.1.2 and that it envelopes and signs the corresponding dss:TSTInfo element. 3. Proceed as indicated in section 4.3 steps 2 to 4 (both included) of [DSSCore] for each of the rest of ds:Reference elements within the ds:SignedInfo element. This will allow the server to retrieve the time-stamped documents from the corresponding ds:Reference elements, to extract them from the request, to validate their digests, to verify the signature value, and to generate the corresponding result value. ------------------ REMAINING ISSUE: Steps 2 to 4 in 4.3 contains details on how the server should proceed in case the ds:Signature (which is now a time-stamp) is an enveloped signature.... should we then clarify in the text of the time-stamp profile that this will not be possible ever for this kind of signatures? Regards Juan Carlos.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]