Draft 07 of UBL security profiles and proposed PRD2 UBL 2.1 doc, schemas and examples

["G. Ken Holman" <gkholman@CraneSoftwrights.com>]

Fellow UBL Security SC members,

Please find (described below) at:

    http://www.oasis-open.org/committees/document.php?document_id=40254

[1] proposed PRD2 changes related to security (schemas, example 
instances, prose for the annexes) and [2] draft 07 of the UBL 
security profiles (a rewrite of UBL-XAdES-Profile 1.0-RC2.doc 
released earlier).

I have released the drafts in the same ZIP file because the two are related.

The directories in the ZIP have these files:

  \    - revised sample instances for PRD2 (now with bona fide and
         verifiable signatures)
  \profiledoc - proposed UBL security profiles rewrite (HTML and PDF)
  \ubl21doc - proposed UBL 2.1 PRD2 annex rewrite (skeletal HTML and XML)
  \xsd - proposed UBL 2.1 PRD2 extension schema changes (with PRD1
         business objects)

Jon, I tried to hack the UBL 2.1 PRD2 annex XML in such a way that 
you can replace it directly in your edited content.  Also, I've 
summarized below the changes since we will have to document the 
differences between PRD1 and PRD2.  I hope I didn't miss anything.

Also, Jon, regarding the schemas and instances, this is *not* the 
package of SGTG replacement directories for PRD2.  Only enough for 
the Security SC to work with the example signed UBL documents.  The 
SGTG replacement directory package will come later and I'll post it 
to the main list.

Please let me know if anyone has any questions.  I look forward to 
your critical feedback.  I think everything we need is in there, but 
I could have easily overlooked something ... I've been staring at 
this stuff for days.

Thanks!

. . . . . . . . . . Ken

[1] Changes in UBL 2.1 annexes for PRD2:
- prose changes describing new extension methodology of simply 
importing extension fragments (I've embedded Jon's name in some 
places where the changes are not obvious; I've edited the DocBook 
markup so it *should* be possible to simply replace the existing 
markup with this contributed markup as a starting point to the next 
round of edits)
- de-emphasis of XAdES in line with de-emphasis of it in the Profiles 
document (since XAdES is embedded *inside* of XMLDSig, our extension 
is now solely an XMLDSig extension that users can use any way the 
feel, including XAdES and others)
- revised the URI strings based on changes in the Profiles document
- revised the XML fragment example based on changes in the Profiles document
- added the distinction between co-signatures and countersignatures 
in an informative note (doesn't impact on validation or conformance)
- cited the mechanism in XAdES of embedding information in an XMLDSig 
in an informative note (doesn't impact on validation or conformance)
- updated the informative reference to 2009-06 version of XAdES
- absent from this document is any reference to the "detached 
profile"; should one be added?  I think not since the reference to 
the signature profiles document is in the context of the extension 
fragment which is used only in the enveloped profile
- absent from this document is any reference to the conformance 
section of the Profiles document; should one be added?
- the example file xml/UBL-Invoice-2.0-Signed.xml is removed as it's 
pro-forma embedded signature was not bona fide and verifiable
- the following example files are added (the signatures are created 
using a real certificate for a dummy "Demo UBL" persona using the UBL 
TC comment email address; the free software at 
http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig was 
used to create these files):
     xml/UBL-Invoice-2.0-Enveloped.xml
          - a sample UBL invoice with a bona fide verifiable embedded signature
     xml/UBL-Invoice-2.0-Detached.xml
          - a sample UBL invoice referencing an external detached signature
     xml/UBL-Invoice-2.0-Detached-Signature.xml
          - the bona fide verifiable detached signature for the sample
- there are no references to detached signatures as there are in the 
profiles document ... should this change?


[2] Changes in UBL Digital Signature Profiles 1.0:
- change of the document title
- change of URI strings from "http:" protocol to "urn:" protocol
- change of the profiles being XAdES-specific to being 
XMLDSig-specific since all of XAdES is embedded inside of XMLDSig 
(and there may be non-XAdES users of XMLDSig who can now use these profiles)
- major rewrite of text needs a thorough review by UBL Security SC 
members; while I did try and copy major blocks of content, most are 
tweaked in line with terminology used in UBL
- change conformance clauses to how to conform to the profiles (not 
how the profiles conform to other specifications, which is not the 
intent of the section)
- used official OASIS DocBook structure in XML (not Word)
- distinguished normative references from informative references and 
put informative references into notes
- used some of the UBL 2.1 annex verbatim so as to ensure consistency 
(no need to say things differently) ... any changes, then, to the 
profiles document should also be made in the UBL 2.1 document


--
Contact us for world-wide XML consulting & instructor-led training
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal