OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Possible implications of Inma Marin's comment: http://lists.oasis-open.org/archives/dss-comment/200605/msg00000.html

Dear all,

Reading Inma's comment, I think that its resolution could lead to 
re-writing of sections 4.6.7 (ReturnUpdatedSignature) and 4.6.9 
AddTimeStamp (optional input for verification protocol) and maybe the 
introduction of a new optional output for the verification case. Below 
follow some considerations:

Inma comment asks about the precise way of giving the user back the 
signature with the time-stamp after she asked for verification and 
addition of a time-stamp. She identifies a number of cases, which are 
not explicited in the core,  and that might be detailed for avoiding 
ambiguities and missinterpretations.

I would say that:

0. Requesting to add a time-stamp to a signature is one thing. 
Requesting that the server gives back the updated signature is another. 
The current text in 4.6.9 reads:

"The <AddTimestamp> element within a <VerifyRequest> message indicates 
that the client wishes the server to update the signature after its 
verification by embedding a signature timestamp token as an 
unauthenticated attribute.."

It does not say anything about when the server will give the (updated) 
signature back to the user, always? or only when  both optional inputs 
namely <ReturnUpdatedSignature> and <AddTimeStamp> are present?.

I would say, for the sake of ortogonality, that it should be explicitly 
said that only if the <ReturnUpdatedSignature> is present, the server 
will give it back to the client...(it might happen that the client was 
feeding a service accomplishing both functions, verifying and storage of 
signatures...)

This could be done by adding the following after the first paragraph:

"If the request contains the <dss:ReturnUpdatedSignature> optional 
element then the server will return the signature with the generated 
signature time-stamp token following the rules established in section 
4.6.7."

1. As for the text in section 4.6.7, actually most of the text written 
by Inma in her message could be integrated to describe the different 
scenarios. For doing that, I would propose the addition of some text 
after the xml schema definition of the <ReturnUpdatedSignature>... and 
maybe the addition of a new optional output. Below I draft a proposal

"The contents of the <dss:UpdatedSignature> element will be generated 
according to the following rules:


a)If the signature to be verified and updated appears within a 
<SignatureObject>'s <ds:Signature> or <Base64Signature> then the 
<UpdatedSignature> optional ouput MUST contain the modified 
<SignatureObject> with the corresponding <ds:Signature> or 
<Base64Signature> child containing the updated signature.

b)If the signature to be verified and updated is enveloped, i.e. if the 
<VerifyRequest> contains a <SignatureObject> with a <SignaturePtr> 
pointing to an <InputDocument> enveloping the signature, then the 
<UpdatedSignature> optional ouput MUST contain a <SignatureObject> with 
the <ds:Signature> or the <Base64Signature> enclosing the verified and 
updated signature, extracted from its enveloping document."

[ Comment: here we have a question: where puts the server the 
time-stamped signature?. We may do two things: let the server to extract 
the signature and put it within a <ds:Signature> or the 
<Base64Signature>, then no need for anything....OR make the 
<DocumentWithSignature> be also an optional output of the verifiying 
protocol and then the text would be slightly different and this new 
section be added

b)If the signature to be verified and updated is enveloped, i.e. if the 
<VerifyRequest> contains a <SignatureObject> with a <SignaturePtr> 
pointing to an <InputDocument> enveloping the signature, then the 
<UpdatedSignature> optional ouput MUST contain <SigantureObject> having 
a <SignaturePtr> element that MUST point to a <DocumentWithSignature> 
optional output containing the document that envelopes the updated 
signature."

Opinions?
]

"c) If the <VerifyRequest> does not include the <SignatureObject> 
element, but there is a single <InputDocument> enveloping the signature 
to be verified and updated, then the <UpdatedSignature> optional ouput 
MUST contain a <SignatureObject> with the <ds:Signature> or the 
<Base64Signature> enclosing the verified and updated signature, 
extracted from its enveloping document."

[ Again, the same alternatives are present here. An alternative text below:

"c) If the <VerifyRequest> does not include the <SignatureObject> 
element, but there is a single <InputDocument> enveloping the signature 
to be verified and updated, then the <UpdatedSignature> optional ouput 
MUST contain <SigantureObject> having a <SignaturePtr> element that MUST 
point to a <DocumentWithSignature> optional output containing the 
document that envelopes the updated signature."

]

Regards

Juan Carlos.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]