Re: [ubl-security] New draft for the UBL XAdES profile

[Oriol Bausą Peris <oriol@invinet.org>]

Hi Andrea and all, 

We've been trying to use digital signatures within CODICE project using the guidelines defined in the UBL SSC report, and there are some issues that I think are not covered with the current document:

Let me explain what are our requirements and some of the issues and proposals for consideration:

- We need to use sequential signature (countersignature) and parallel signature (cosignature) including all signatories in the same document.
- We need to use technologies and standards with supporting tools, just to increase the level of adoption of the use of signatures

Here there are some comments on the document UBL XAdES Profile Version 1.0, (march 2010) 

1) cac:signature/cbc:ID, is updated before placing the signature, and ext:UBLExtension/cbc:ID after placing the signature, so the integrity of this relationship is not ensured. It seems that maintaining the element cac:Signature related with the extension is not appropriate. 

We think that it is interesting to use the cac:Signature as meta information about the signatory party, but it should be totally unlinked to the electronic signature. The point is that the UBL Signature element creates confusion and makes it hard to create and signatures. That's why I would recommend not using the cac:Signature element from the UBL library, using ds:Signature instead.

2) There is an idea to create the structures cac:Signature and ext:UBLExtension (as many as signatures required) prior to create the signature.

It is ok under our point of view (except for point 1 above), but in this case you need to know the number of signatory parties before-hand, and prepare as many ext:UBLExtension components as signatures before creating the signatures, as the "Substract" clause from the filter just excludes the element ds:Signature.

3) Regarding the use of the transformation XPath Filter, we consider that this is a limitation for the existing technical tools. We should allow for the use of REC_xpath (dsig:XPath). It would be great to avoid this kind of transformations but it seems no possible)

4) Finally, we think that we could use the same document to sign without using XAdEs, I mean just using XML Dsig.


Some proposals for consideration:


1) Remove any relationship from cac:Signature  to the electronic signature as we cannot guarantee the integrity of the relationship. And avoid promoting the cac:Signature as a placeholder for the signature in UBL documents.

2) Allow for XML Dsig, leave the decision on the digital signature profile to the end users.

2.1.- In CounterSignature (sequence), add the ds:Object element with the ds:Signature of the SignatureValue for the previous signature.

3) For the cosignature (parallel). 

3.a.-  When the number of signatory parties is known --> use your recommendation (UBL XAdES Profile Version 1.0; 1 march 2010), adding the possibility to use the transformation based on REC_xpath (dsig:XPath) as it is more extended. 

4b.- If signatory parties unknown --> Establish the following exception to the UBL Document when signing: Exclude all UBLExtension and descendants where there is a ds:Signature.   

5) We possiblly could get another exception when signing UBL documents, for instance excluding any UBLExtension containing a special element, for instance UnsignedData:

<element name="UnsignedData" type="UnsignedDataType" /> 
<complexType name="UnsignedDataType" mixed="false"> 
<sequence> 
<any namespace="##any" minOccurs="0" 
maxOccurs="unbounded" /> 
</sequence> 
</complexType> 

I'm looking forward to hearing from you

Best regards, 
Oriol

 
El 15/03/2010, a las 05:07, Andrea Caccia escribió:

> Dear all,
> please find attached a new draft for the UBL XAdES profile. As agreed during the F2F meeting in Copenhagen there is the opportunity to insert this profile with the release of UBL 2.1.
> I kindly ask you to review it before the end of this week so, if there isn't any major issue, I can take into account your comments and send it to the TC in time.
> 
> Thank you.
> 
> Regards,
> Andrea
> <UBL-XAdES-Profile 1.0-20100301.doc>---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php