Public comments from Inma

["Nick Pope" <nickpope@secstan.com>]

I propose to send out the following email in response to public comments from Inma Marín

inma@dif.um.es

 

Thanks for your series of Comments on the OASIS DSS Core specification.

 

Your input was greatly appreciated and has been taken into account in the production of a revised CD which will be issued in the next few weeks for public comment.  In the mean time to let you know how the comment have been addressed:

 

Regarding your comments in the email of 6 Jun 2006 11:57:48 -0000

 

1. Regarding optional input <AddTimestamp>, in section 3.5.2.2 "Processing form XML signatures time-stamping" it is said that "... the timestamp token created by the server shall be a <ds:Signature>". However, most of the TSAs create RFC3161 timestamp tokens, so I think it is recommended to take it into account and allow to embed a RFC3161 timestamp token into a XML Signature.

 

This has been added in 3.5.2.3

 

2. As far as verification of enveloping CMS signatures is concerned, section 4.5 says: "2. [...]if the CMS signature is enveloping, it contains its own input data and there MUST NOT be any input documents presents". On the contrary, there are situations where we need to supply the original signed document in order to check if the signed document (included in the CMS signature) matches the document which was intended to be signed (original document). If it is not possible to include the original document as an input document in the VerifyRequest, maybe the service should return (in the VerifyResponse) the signed document within the cms signature, so the client can accomplish the matching (signed document against original document) by himself. 

 

This feature is to be considered as an issue for future work.

 

Regarding your comments in the email 16 May 2006 12:27:39 -0000

The handling of signature time-stamps has been significantly revised.

 

Regarding your comments in the email 12 May 2006 11:52:31 -0000

The handling of signature time-stamps has been significantly revised.

 

Regarding your comments in the email 25 Apr 2006 13:37:29 -0000

The revision to the handling of signature time-stamps has been revised to clarify the handling of signature errors vs time-stamp errors.

 

Regarding your comments in the email 21 Apr 2006 12:40:13 -0000

The handling of the verification time has been clarified.

 

I will let you know as soon as the document has been released for the final round of public comments.

 

Regards

 

Nick Pope (Chair OASIS DSS)