Regarding detached signatures

[Julian Inza <julian.inza@albalia.com>]

Dear friends,

In the TS 101 903 standard (last version is 1.4.1 from
2009-06-15) are described several ways to creating electronic
signatures, based on XMLDSig ( http://www.w3.org/TR/xmldsig-core/ ) .

So most of what is need to sign XML files electronically is in those
standards.

One powerful idea in the recommendation we are compiling is that a UBL
signed file can be independently verified by an "electronic signature
only" application and a "UBL aware" format processor.

In fact, enveloped signatures are specific to XML files, while detached
and enveloping signatures can also be done in CMS and CAdES.

Also a powerful idea is that keeping a small specific way of doing
electronic signatures simplifies generation and verification of those
electronic signatures and eases interoperability.

In fact, I would go deeper in the interoperability idea and would
prescribe that UBL signatures are always encoded in the generating
party in XAdES-XL format, including OCSP and timestamping, freeing the
receiving party about the burden of Certification Service Provider
validation (which can be very complex in an international
multi-language environment). By the way, I wonder if we should take
into account services as  Trust-service Status List (TSL) that
are about to be generally deployed in Europe (one or more in every
country).

I know this discussion (XAdES-XL) has been intentionally left out of
the scope of this document, precissely to try to ease agreements, but
maybe is interesting to know that XAdES-T is in fact included in
XAdES_XL. So, in those countries in which XAdES-T signature is
mandatory, this can be prefectry complied with XAdES-XL.

So to conclude, I would prefer to recommend a small subset of the
standard to make interoperability easier, and in this sense I would
prefer not to add a definition of detached signatures. But I can change
my mind if anyone can convince me that there are environments in which
a detached signature is a solution and an enveloped signature is a
problem. Because, on the other hand we don´t need to make any
recommendation just to repeat what already is in the standards.

Best regards,

Julian Inza Aldaz
Presidente
Albalia Interactiva, S.L.

: www.albalia.com : blog.inza.com
: julian.inza@albalia.com
: +34 91 388 0789 : +34 902 365 612

Please update your address book. Our new postal address is: C/ Mentrida, 6 - 28043 - Madrid (Spain).

Este mensaje de correo electrónico puede contener INFORMACIÓN CONFIDENCIAL propiedad de Albalia Interactiva. Si lo ha recibido por error, por favor haga caso omiso, elimínelo y notifíquelo al remitente. La información personal puede ser añadida a un fichero de relaciones (que puede incluir información de marketing) en Albalia Interactiva, donde usted puede ejercer sus derechos de acceso, rectificación y cancelación de sus datos al amparo de la Ley Orgánica 15/1999. Usted está autorizado a utilizar los datos personales del firmante de este mensaje siempre que haya una manera de ejercer los mencionados derechos por el remitente.

This e-mail message could contain CONFIDENTIAL INFORMATION property of Albalia Interactiva. If received by mistake, please ignore it, delete it and notify the sender. Your personal information can be added to a relationships file (that can include marketing information) at Albalia Interactiva where you can exercise your rights to access, rectify or cancel your data according spanish 15/1999 Organic Law. You are authorised to use personal data of the signer of this message as long as there is a way to exercise the mentioned rights by the sender.