Re: In reply to: Reference element in page 23 of CPP/A Spec

[Robert Anthony Weida <rweida@hotmail.com>]

The Reference element within a ProcessSpecification has the necessary 
information for software to verify that the referenced document has not 
changed by comparing the (original) DigestValue with the result of applying 
the DigestMethod to the referenced document (in canonical form).  
Certificates and keys are not involved in that process.  Of course, they are 
involved in signing a CPP/CPA.  Section 8.7 covers the use of a ds:Signature 
element for signing a CPP/CPA (which is optional in version 1.0).  That 
section includes requirements and options concerning references to process 
specifications in case a CPP/CPA is signed, for example:

"Whenever a CPA is signed, each ds:Reference within a ProcessSpecification 
MUST pass reference validation and each ds:Signature MUST pass core 
validation.

NOTE: In case a CPA is unsigned, software MAY nonetheless validate the 
ds:Reference elements within ProcessSpecification elements and report any 
exceptions."

Hope that helps.

Tony



>From: Himagiri Mukkamala <himagiri@sybase.com>
>To: Robert Anthony Weida <rweida@hotmail.com>
>CC: ebxml-cppa@lists.oasis-open.org
>Subject: Re: In reply to: Reference element in page 23 of CPP/A Spec
>Date: Wed, 19 Sep 2001 06:43:38 -0700
>
>1) Note to myself: Spell check
>
>2) But the KeyInfo and CertificateINfo exist in other
>elements of Signature. So how would it get validated
>if the 'system' doesn't know the certificate to use
>to verify the document.
>
>Robert Anthony Weida wrote:
>
> > Himagiri Mukkamala wrote:
> >
> > >1) Reference element for ProcessSpecification specifies Digest method 
>as
> > >
> > >http://ww.w3.org/2000/09/xmldsig#dsa-sha1.
> > >
> > >XMLDSIG spec has only one digest algorithm mentioned and that is
> > >
> > >http://ww.w3.org/2000/09/xmldsig#sha1
> >
> > I think we should specify the latter algorithm (except "www" instead of
> > "ww").  I'll record the issue.
> >
> > >2) Wouldn't we need the whole "Signature" element instead of just
> > >the reference element for the ProcessSpecification so that
> > >it can be verified
> >
> > No, the ds:Reference element contains sufficient information to verify 
>the
> > referenced process specification document.  Sections 7.5.4 and 8.7 
>contain
> > several passages on the the use of ds:Reference elements in relation to
> > ds:Signature elements, including the following from Section 7.5.4.5:
> >
> > NOTE: It is recognized that the XML Digital Signature 
>specification[XMLDSIG]
> > provides for signing an XML document together with externally referenced
> > documents.  In cases where a CPP or CPA document is in fact suitably 
>signed,
> > that facility could also be used to ensure that the referenced
> > Process-Specification documents are unchanged.  However, this 
>specification
> > does not currently mandate that a CPP or CPA be signed.
> >
> > >-h
> >
> > Tony
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
>http://explorer.msn.com/intl.asp
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp