Re: [ubl-ndrsc] Re: [ubl-lcsc] UBL NDR SC Minutes 4 June 2003

[Eduardo Gutentag <eduardo.gutentag@sun.com>]

Tim,

I'm not sure the following is evident from the minutes (perhaps not) but
the sense of the meeting was that NDR was recommending that nothing
be done in this respect; in other words, most people present at the
meeting were also of the idea that it should not be done. There will be no
complex and contentious paper from NDR; not because it is a distraction
from the primary deliverable, but because it would led us to bind UBL to
a particular mechanism for signatures, perhaps even a particular transport
mechanism. I am sure that Mark will be able to articulate this much better
at the next LC meeting.

Tim McGrath wrote:
> At the London Face-to-Face, David presented his case the the LC team. We 
> recognised that there may be a useful business case (in some 
> circumstances) for having a digital signature tied to the instance 
> document.  We viewed this as a 'nice to have' and a 'value-added' 
> feature on the understanding it would be a trivial and simple 
> implementation issue requiring a few lines of schema code appended to 
> each UBL document schema. (something akin to the way namespaces, schema 
> headers, etc are added).  It would also be optional.  We did not think 
> there was any down side to this idea.
> 
> Following this debate has confirmed my personal opinion that this issue 
> is a distraction to the primary deliverable of UBL.  Personally, I will 
> suggest to the LC team that if the NDR position paper is going to be 
> complex and contentious then lets let it sleep for 1p00.  Meanwhile, we 
> can assume implementations will rely on message handling systems (eg 
> ebXML MS) to do this (as Mark reminds us) and their own gateways to link 
> signatures to instances if necessary.
> 
> I will put my view to the LC team on our Friday call and then let the 
> NDR know if we are still keen to pursue this.
> 
> 
> CRAWFORD, Mark wrote:
> 
>> LCSC - Please note item 5b.
>>
>> The UBL NDR SC held a meeting at 11:30 EST 4 June 2003.  
>> http://www.timeanddate.com/worldclock/fixedtime.html?year=2003&mon=06&day=04&hour=15&min=0&sec=0 
>>
>>
>> 5. Discussion Items:
>>
>>     b. Digital Signatures
>>
>>     This issue was raised by Dave Burdett.  He has asked to be a 
>> participant in the discussions.  Jon believes that he has already 
>> added Dave as a member non-voting for the TC. Mark to take for action 
>> for the NDR list.  Paul believes that we may be able to avoid this 
>> whole issue by using external mechanism.  Mark talked about include 
>> and the W3C XML DSig spec.  Eduardo says you can do external.  Eve 
>> says that XML signature allows you to associate signatures with a 
>> document while having the signature separate.  Eve also said that Mark 
>> is right that you can allow for extending the schema through include.  
>> Some other ways are to use channel security (transport security) ie 
>> ebMS.  There is also the OASIS WSS, which has some SOAP header 
>> extensions that allow you to associate the signature with the payload 
>> and goes a step further to be specific to the actual messaging 
>> system.  The reason for imbedding in the payload is if you want it to 
>> be really persistent and don't want to go out to the network to get it 
>> because if the signature is external to the payload then it gets 
>> stripped off.  EG - thinks that UBL should be agnostic on this issue 
>> and does not believe that it is something that UBL should do.  He 
>> thinks that users that may need persistence, then it should be handled 
>> as an allowable context specific extension.  Paul confirmed what Eve 
>> had said regarding persistence.  Anne indicated that LC has in fact 
>> made a decision to support DSig.  Mark express support for Eduardo's 
>> position.  Anne asked if someone would get back to LCSC.  Mark 
>> indicated he would try and join the next LCSC call, but we still did 
>> not have a NDR consensus. Eve says that what is proposed is feasible, 
>> but may not be desirable.   Bill believes that things like 
>> non-repudiation and tamper protection is handled by various transport 
>> mechanisms.  Anne says that LCSC may want the signature to stay with 
>> the document.  Bill believes that we may be on a very slippery slope 
>> with this issue and that there are many difficulties inherent in 
>> trying to bring this in
>> signature is usually multiple fold 1) signing a particular portion or 
>> document ensures that the document has not been modified and 2) who 
>> the document came from.  The problem is that you have to maintain the 
>> canonical form of the document along with the decision.  Bill asserts 
>> that XML DSig recanonicalizes the original submission.  Paul says it 
>> depends on the approach.  Mark to send minutes to LCSC and be on next 
>> LC call.
>>  
>>
> 

-- 
Eduardo Gutentag               |         e-mail: eduardo.gutentag@Sun.COM
Web Technologies and Standards |         Phone:  +1 510 550 4616 x31442
Sun Microsystems Inc.          |         1800 Harrison St. Oakland, CA 94612
W3C AC Rep / OASIS TAB Chair