I think that we are in general agreement.
You may be right that the asynch profile is different from the others.
Juan Carlos - perhaps you could add "baseline
profiles" to the list of work items.
From: Carlos Gonzalez-Cadenas
Sent: 12 March 2007 14:49
To: Pope, Nick
Cc: Juan Carlos Cruellas;
Subject: Re: ResponseBaseType and
Agree with the different profiles for signing / verification.
Regarding the "abstract profiles", my understanding of an
"abstract profile" is that it's one that cannot be directly
implemented (but can be further profiled in a concrete(implementable) profile).
The AdES abstract profile is a good example for that, further profiled by
the concrete profiles XAdES and CAdES.
In contrast, the asynchronous profile is another kind of thing, because it's
not intended to be a "standalone profile", but an orthogonal
feature (orthogonal to a "standalone profile") that customizes
the behavior of the "standalone profile" (in this case allowing the
response to be deferred in an asynchronous way). Note that even the invocation
method is different (the asynchronous profile is never expected to be used via
the Profile attribute of the request, but instead with the
dss:AdditionalProfiles). I think that explicitly differentiating these two
things can bring a lot of clarity to this issue.
Regarding the optional inputs / outputs location, I agree that maybe it's
better to have them in the core (for a cleaner reusability model for profiles).
In this way, the baseline profiles don't extend, but select what kind of
contents and what kind of optional inputs / outputs can be used in this
On 3/12/07, Pope, Nick <Nick.Pope@thales-esecurity.com>
Agree in general on your suggested baselines. I
wondered about even separating out the signing & verification. As
they are relatively independent I can see implementations sometime support one
but not they other. I see no problem with an implementation supporting
I suggest that we leave the all the existing optional inputs
/outputs where they are in the Core so that other profiles
Perhaps the transport can be conformance options within the
profile. Should one be required for interopability?
I would not expect the baseline profiles would
"extend" the core. Rather I would expect it select to select
options defined within the core that would be required to conform to a
particular baseline profile.
As for asynchronous I suggest that the existing approach of
defining an "abstract profile" that can be selected by
implementations to add to the baseline would be OK.
Sent: 12 March 2007 12:14
To: Pope, Nick
Cc: Juan Carlos
ResponseBaseType and profiles
Yes, I consider that it's practical to implement the core with all forms of
signature supported. You can think about "validation service
providers" that are used by different clients (each one having different
kinds of signatures, i.e. CMS / XML).
In the other hand, it's not clear for implementers which is the minimal subset
of the protocol needed to claim compliance with DSS core (well, it seems that
it's the whole core). I agree with you that creating "baseline"
profiles (one for every "major use case" ( i.e. XML
signatures(creation/validation), CMS signatures(creation/validation), XML
timestamps(creation/validation), CMS timestamps(creation/validation)) would
help a lot, in this way the implementers can choose which "packages"
they do implement.
I would move to these "baseline profiles" the optional inputs/outputs
that are specific for this kind of signature, so they don't mess in the other
baseline profiles, and I would leave the common optional inputs / outputs in
I would also leave the security/transport protocols in the core, as they
are orthogonal to the "big use cases", so if there's no constraint in
the "baseline profile", any of these protocols can be used.
So, for me (and I understand that this is also your proposal), the core in
itself is abstract, and the "implementable" parts are the
"baseline profiles" that extend the core.
As another side comment (very important for me), in DSS the only way to add
optional functionality to the protocol is to create a profile. In many cases,
these "profiles" only add some "feature" (in the form
of a number of optional inputs / outputs) to the base. I would like to see
support in DSS (as a first-class citizen) for a lightweight form of
"profiles", called "features" or "capabilities"
(look for example at SPML). These features can be implemented on top of any of
the profiles when needed.
I don't think we need a full profile for defining i.e. the
"asynchronous" capability. This should be a
"feature"/"capability" defined in the core (that include
several optional inputs / outputs). I see that this approach has several
- more clear: the implementers see "packages
of functionality" that they implement or not depending on their
needs (żdo I need async processing or not? żdo I need policy support or
not? ...). Even an implementation that contains all the features
implemented can be later operated activating some features at
- more manageable: for the TC, to have tens of spec
documents is hard to manage. I see that profiles should only be used for
"big things" (i.e. the baseline profiles for every big "use
case" or, as another example, the XAdES profile), not to add two
optional inputs/outputs. For me, every "feature" should deserve
a mini-chapter (one or a few pages) in the core or in some profile (if the
feature is local to a profile), like what the folks at SPML are doing.
PS: BTW, is this going to DSS 1.x or DSS 2?. In this case I would like to
discuss some modifications that are relevant in the light of this proposed
3/12/07, Pope, Nick <Nick.Pope@thales-esecurity.com>
Is it practical to implement the Core with all forms of
signature and transport data to the server? I would suggest rather we
define two "baseline" profiles on for CMS the other for XML
using perhaps SOAP with data carried as a MIME object.
From: Carlos Gonzalez-Cadenas
Sent: 11 March 2007 16:04
To: Pope, Nick; Juan Carlos
Subject: dss:ResponseBaseType and
Nick, Juan Carlos,
The response base type (dss:ResponseBaseType) requires to include the profile.
Which value is expected for responses produced by servers that implement only
core (no profiles) ?.
In my opinion, this attribute should be optional, as in its analogous type