Re: [ubl-security] Re: [ubl] Re: Making references

["G. Ken Holman" <gkholman@CraneSoftwrights.com>]

Well done, Andrea.  I'm looking forward to seeing the end result as 
it looks like it will be very comprehensive and a good guideline for 
people like me who do not have a background in applying signature 
specifications.  I think we will be a big audience for your document.

My only comment has to do with the identifiers for extensions.  I 
strongly feel we cannot impose any constraints on extension 
identifiers.  Their interpretation is solely for the management of 
extensions amongst other extensions.  I firmly believe 
ext:UBLExtension/cbc:ID values should not have any reflection on 
business objects of any kind, including signature objects.  It is 
scaffolding information, it is not business information.

Please let me know if I can help you with the schema fragments.

I hope everyone has a safe and happy holiday!

. . . . . . . . . . . Ken

At 2009-12-23 05:14 +0100, Andrea Caccia wrote:
>Since there are no further comments, I'like to modify the current 
>draft taking into account our recent discussions.
>
>These are the changes I'd like to introduce:
>- use of cac:Signature with the original UBL semantic. Its main 
>purpose is twofold: to identify the signature profile and to point 
>to the "real" digital signature (being it detached or enveloped 
>within the UBL document). This SC will define a set of reserved URIs 
>(with a common base) and any user group can do the same or even not 
>use cac:Signature at all and define different rules, provided they 
>do not use the reserved URIs.
>- support for multiple signatures. As both CAdES and XAdES can 
>support multiple signatures directly, I think it's better to use the 
>mechanisms allowed by the standards and just profile their use.
>- about the additional wrapping structure to be used in the 
>extension, I'll describe both the solutions (with and without it) 
>then we'll try to reach an agreement on what to keep. I'm not in 
>favor to keep both and, if no agreement is reached, I propose to 
>leave the decision to the TC. I'd like to specify that, without the 
>wrapping element, no constraint is imposed on the ID inside the 
>extension and thai the ID inside the signature has the constraint to 
>be equal to the ID chosen for the extension. If the TC consider this 
>as a violation of the UBL semantic then the wrapping solution can be taken.
>- support for detached signatures, both XAdES and CAdES: there are 
>the following additional reasons to take this into account, even if 
>the work can probably only drafted at this stage:
>    * as was originally mentioned before activating this SC 
> UN/CEFACT TBG6 is also dealing with security. After the UBL F2F and 
> CEFACT forum in Rome I started to participate to their work. The 
> first format considered was the enveloping one, that we excluded as 
> one of our requirements as it does not preserve the syntax of the 
> signed message. The detached format will be supported in the next 
> release of the Recommendation we're working on as the signature 
> could be published and available or carried as a soap attachment 
> and this means a common format can be defined.
>    * in ETSI we're working on a the "attached signatures", a way to 
> package the detached signature and the signed object in a standard 
> structure. We are also considering OASIS Open Document format (part 
> 3). Attached signatures could be a solution for archiving needs, as 
> the document and its signature are collected in a single file.
>
>Please let me know if it could work, I'm going to start next week.
>
>Andrea


--
UBL and Code List training:      Copenhagen, Denmark 2010-02-08/10
XSLT/XQuery/XPath training after http://XMLPrague.cz 2010-03-15/19
XSLT/XQuery/XPath training:   San Carlos, California 2010-04-26/30
Vote for your XML training:   http://www.CraneSoftwrights.com/o/i/
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video
Video lesson:    http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18
Video overview:  http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Male Cancer Awareness Nov'07  http://www.CraneSoftwrights.com/o/bc
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal