[ubl-psc] RE: [ubl-tsc] [Fwd: [ubl-psc] Proposal for asignature refenrence]

["Stephen Green" <stephen_green@bristol-city.gov.uk>]

Kama

Hi. Is there anywhere we can view the COML way of using XPath to view the signature? 
Is the signature in the message header? With ebMS 2, I gather that everything except 
the message header is an attachment and therefore, I gather, not available to XPath 
(anyone know better?). I also gather that ebMS 3 allows too for messages where the
payload is in the body of the SOAP part (non-multipart messages) so in that case the 
payoad would be available to XPath. I don't have first hand knowledge  of the following 
but from what I've heard said the problems with jsut supporting signatures in the SOAP
envelope seem to be 

1. that the signature has to apply to the whole of the message (incuding even the
message header? - not sure about that) and maybe can't just apply to a part of the 
payload as it could if you had the signature in the payload itself and 

2. if the message header gets discarded in the processing the signature is no longer 
available to business applications

I've heard say that this may make expensive archiving software necessary to adequately
store the signature along with the message header and make that available on request
to the related payload.

So I just wonder if the way COML uses signatures is different for the way ebMS 2 uses
them and whether COML has an alternative to making the payload an attachment so
that XPath can be used to point to something in the body, say, of a message envelope. 

However I remember a comment on ubl-dev that a technology, a proprietary one, 
expects, it seems, to put the signature in the payload and this way it is available
to downstream applications and just part of the message can be signed or secured and
the comment, as I remember it, was asking for support for this in UBL. I'd quite like to
see some further information and some consideration of this approach too before a
committment was made to one way of using digsig.

All the best

Stephen Green


>>> "Kama, Kamarudin Bin Tambi" <kama@crimsonlogic.com> 29/09/05 08:01:32 >>>
Hi Peter, Tim,

Sorry for the late response. We have reviewed the proposal for signature
reference. Below is our comment:-

 

1.	The signature reference calls for the usage of detached
signature. This would be useful in scenario where binary data is
involved and where the referenced signature is always available and
accessible via the specified URL
2.	Both ebXML messaging service and COML however uses the enveloped
approach, wherein the digital signature (digsig) is embedded inside the
message itself. In the case of COML, XPath is being used to reference
the appropriate section of the payload that needs the digsig. This is a
preferred approach where we need to perform online verification of
digsig. Hence, there will not be a need to make reference to an external
resource, which may not be available at the time when the digsig
verification is being performed. This reduces the possibility of digsig
failure.

 

We would urge that you study the COML approach in handling digsig for
XML payload.

 

Regards

Kama

UBL TSC Chair

 

 

-----Original Message-----
From: Tim McGrath [mailto:tmcgrath@portcomm.com.au] 
Sent: Tuesday, September 13, 2005 9:06 PM
To: ubl-tsc@lists.oasis-open.org 
Subject: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence]

 

forwarded from Peter Borresen.  

this is a sample isnatcen of his propsoed digital signature approach.
can we get some technical feedback on the suitability of this for our
needs.

-------- Original Message -------- 

Subject: 

[ubl-psc] Proposal for a signature refenrence

Date: 

Tue, 13 Sep 2005 14:11:49 +0200

From: 

Peter Larsen Borresen <plb@itst.dk> <mailto:plb@itst.dk> 

To: 

ubl-psc@lists.oasis-open.org, "'ytlee@cecid.hku.hk'"
<mailto:'ytlee@cecid.hku.hk'>  <ytlee@cecid.hku.hk>
<mailto:ytlee@cecid.hku.hk> 

CC: 

'jon.bosak@sun.com' <jon.bosak@sun.com> <mailto:jon.bosak@sun.com> 

 

Hallo Thomas and Procurement subcommitee
 
Please find my proposal for a signature reference in the  xml-spy screen
dump and xml example file.
 
 
Best regards
 
Peter L. Borresen
 
 <<SignatureReference.gif>>  <<UBL-Order-1.0-Office-Example_with
signatureReference.xml>> 
 

 

-- 
regards
tim mcgrath
phone: +618 93352228  
postal: po box 1289   fremantle    western australia 6160
 
DOCUMENT ENGINEERING: Analyzing and Designing Documents for Business
Informatics and Web Services
http://mitpress.mit.edu/catalog/item/default.asp?sid=632C40AB-4E94-4930- 
A94E-22FF8CA5641F&ttype=2&tid=10476