[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Possible implications of Inma Marin's comment: http://lists.oasis-open.org/archives/dss-comment/200605/msg00000.html
Dear all, Reading Inma's comment, I think that its resolution could lead to re-writing of sections 4.6.7 (ReturnUpdatedSignature) and 4.6.9 AddTimeStamp (optional input for verification protocol) and maybe the introduction of a new optional output for the verification case. Below follow some considerations: Inma comment asks about the precise way of giving the user back the signature with the time-stamp after she asked for verification and addition of a time-stamp. She identifies a number of cases, which are not explicited in the core, and that might be detailed for avoiding ambiguities and missinterpretations. I would say that: 0. Requesting to add a time-stamp to a signature is one thing. Requesting that the server gives back the updated signature is another. The current text in 4.6.9 reads: "The <AddTimestamp> element within a <VerifyRequest> message indicates that the client wishes the server to update the signature after its verification by embedding a signature timestamp token as an unauthenticated attribute.." It does not say anything about when the server will give the (updated) signature back to the user, always? or only when both optional inputs namely <ReturnUpdatedSignature> and <AddTimeStamp> are present?. I would say, for the sake of ortogonality, that it should be explicitly said that only if the <ReturnUpdatedSignature> is present, the server will give it back to the client...(it might happen that the client was feeding a service accomplishing both functions, verifying and storage of signatures...) This could be done by adding the following after the first paragraph: "If the request contains the <dss:ReturnUpdatedSignature> optional element then the server will return the signature with the generated signature time-stamp token following the rules established in section 4.6.7." 1. As for the text in section 4.6.7, actually most of the text written by Inma in her message could be integrated to describe the different scenarios. For doing that, I would propose the addition of some text after the xml schema definition of the <ReturnUpdatedSignature>... and maybe the addition of a new optional output. Below I draft a proposal "The contents of the <dss:UpdatedSignature> element will be generated according to the following rules: a)If the signature to be verified and updated appears within a <SignatureObject>'s <ds:Signature> or <Base64Signature> then the <UpdatedSignature> optional ouput MUST contain the modified <SignatureObject> with the corresponding <ds:Signature> or <Base64Signature> child containing the updated signature. b)If the signature to be verified and updated is enveloped, i.e. if the <VerifyRequest> contains a <SignatureObject> with a <SignaturePtr> pointing to an <InputDocument> enveloping the signature, then the <UpdatedSignature> optional ouput MUST contain a <SignatureObject> with the <ds:Signature> or the <Base64Signature> enclosing the verified and updated signature, extracted from its enveloping document." [ Comment: here we have a question: where puts the server the time-stamped signature?. We may do two things: let the server to extract the signature and put it within a <ds:Signature> or the <Base64Signature>, then no need for anything....OR make the <DocumentWithSignature> be also an optional output of the verifiying protocol and then the text would be slightly different and this new section be added b)If the signature to be verified and updated is enveloped, i.e. if the <VerifyRequest> contains a <SignatureObject> with a <SignaturePtr> pointing to an <InputDocument> enveloping the signature, then the <UpdatedSignature> optional ouput MUST contain <SigantureObject> having a <SignaturePtr> element that MUST point to a <DocumentWithSignature> optional output containing the document that envelopes the updated signature." Opinions? ] "c) If the <VerifyRequest> does not include the <SignatureObject> element, but there is a single <InputDocument> enveloping the signature to be verified and updated, then the <UpdatedSignature> optional ouput MUST contain a <SignatureObject> with the <ds:Signature> or the <Base64Signature> enclosing the verified and updated signature, extracted from its enveloping document." [ Again, the same alternatives are present here. An alternative text below: "c) If the <VerifyRequest> does not include the <SignatureObject> element, but there is a single <InputDocument> enveloping the signature to be verified and updated, then the <UpdatedSignature> optional ouput MUST contain <SigantureObject> having a <SignaturePtr> element that MUST point to a <DocumentWithSignature> optional output containing the document that envelopes the updated signature." ] Regards Juan Carlos.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]