Re: [ubl-security] Draft 07 of UBL security profiles and proposed PRD2 UBL 2.1 doc, schemas and examples

["G. Ken Holman" <gkholman@CraneSoftwrights.com>]

Fellow UBL Security SC members,

Today I augmented my free UBL signing application to include an 
externally supplied <ds:Object> element such as one created to 
conform to XAdES V1.4.1.  It is the responsibility of the user to 
create such a <ds:Object> with what they need in the XAdES extension 
to the XML Digital Signature.  Having created the extension as a 
separate file, it is seeded with signals telling my software which 
pieces of the extension are signed:

    http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig

Now that I've created some XAdES test signatures, I realized because 
of the new schema validation strategy of "lax" instead of "strict" 
that I can include the two XAdES schema fragments (versions 1.3.2 and 
1.4.1) in the UBL distribution.  The "lax" validation means that if a 
particular user community is *not* using XAdES, there isn't a 
problem.  If the *are* using XAdES, then their use of XAdES will be validated.

I've made the schema changes locally and I'm proposing today that the 
schemas I send to Jon for packaging PRD2 include the XAdES fragments.

Please let me know if you can think of any problems with this so we 
can discuss if I should revert to an agnostic XML digital signature 
extension object.  Otherwise, I'll put them in the next distribution 
and we'll see what our users feel.

Thanks!

. . . . . . . . . . . Ken

At 2010-11-15 18:05 -0500, I wrote:
>Fellow UBL Security SC members,
>
>Please find (described below) at:
>
>    http://www.oasis-open.org/committees/document.php?document_id=40254
>
>[1] proposed PRD2 changes related to security (schemas, example 
>instances, prose for the annexes) and [2] draft 07 of the UBL 
>security profiles (a rewrite of UBL-XAdES-Profile 1.0-RC2.doc 
>released earlier).
>
>I have released the drafts in the same ZIP file because the two are related.
>
>The directories in the ZIP have these files:
>
>  \    - revised sample instances for PRD2 (now with bona fide and
>         verifiable signatures)
>  \profiledoc - proposed UBL security profiles rewrite (HTML and PDF)
>  \ubl21doc - proposed UBL 2.1 PRD2 annex rewrite (skeletal HTML and XML)
>  \xsd - proposed UBL 2.1 PRD2 extension schema changes (with PRD1
>         business objects)
>
>Jon, I tried to hack the UBL 2.1 PRD2 annex XML in such a way that 
>you can replace it directly in your edited content.  Also, I've 
>summarized below the changes since we will have to document the 
>differences between PRD1 and PRD2.  I hope I didn't miss anything.
>
>Also, Jon, regarding the schemas and instances, this is *not* the 
>package of SGTG replacement directories for PRD2.  Only enough for 
>the Security SC to work with the example signed UBL documents.  The 
>SGTG replacement directory package will come later and I'll post it 
>to the main list.
>
>Please let me know if anyone has any questions.  I look forward to 
>your critical feedback.  I think everything we need is in there, but 
>I could have easily overlooked something ... I've been staring at 
>this stuff for days.
>
>Thanks!
>
>. . . . . . . . . . Ken
>
>[1] Changes in UBL 2.1 annexes for PRD2:
>- prose changes describing new extension methodology of simply 
>importing extension fragments (I've embedded Jon's name in some 
>places where the changes are not obvious; I've edited the DocBook 
>markup so it *should* be possible to simply replace the existing 
>markup with this contributed markup as a starting point to the next 
>round of edits)
>- de-emphasis of XAdES in line with de-emphasis of it in the 
>Profiles document (since XAdES is embedded *inside* of XMLDSig, our 
>extension is now solely an XMLDSig extension that users can use any 
>way the feel, including XAdES and others)
>- revised the URI strings based on changes in the Profiles document
>- revised the XML fragment example based on changes in the Profiles document
>- added the distinction between co-signatures and countersignatures 
>in an informative note (doesn't impact on validation or conformance)
>- cited the mechanism in XAdES of embedding information in an 
>XMLDSig in an informative note (doesn't impact on validation or conformance)
>- updated the informative reference to 2009-06 version of XAdES
>- absent from this document is any reference to the "detached 
>profile"; should one be added?  I think not since the reference to 
>the signature profiles document is in the context of the extension 
>fragment which is used only in the enveloped profile
>- absent from this document is any reference to the conformance 
>section of the Profiles document; should one be added?
>- the example file xml/UBL-Invoice-2.0-Signed.xml is removed as it's 
>pro-forma embedded signature was not bona fide and verifiable
>- the following example files are added (the signatures are created 
>using a real certificate for a dummy "Demo UBL" persona using the 
>UBL TC comment email address; the free software at 
>http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig was 
>used to create these files):
>     xml/UBL-Invoice-2.0-Enveloped.xml
>          - a sample UBL invoice with a bona fide verifiable 
> embedded signature
>     xml/UBL-Invoice-2.0-Detached.xml
>          - a sample UBL invoice referencing an external detached signature
>     xml/UBL-Invoice-2.0-Detached-Signature.xml
>          - the bona fide verifiable detached signature for the sample
>- there are no references to detached signatures as there are in the 
>profiles document ... should this change?
>
>
>[2] Changes in UBL Digital Signature Profiles 1.0:
>- change of the document title
>- change of URI strings from "http:" protocol to "urn:" protocol
>- change of the profiles being XAdES-specific to being 
>XMLDSig-specific since all of XAdES is embedded inside of XMLDSig 
>(and there may be non-XAdES users of XMLDSig who can now use these profiles)
>- major rewrite of text needs a thorough review by UBL Security SC 
>members; while I did try and copy major blocks of content, most are 
>tweaked in line with terminology used in UBL
>- change conformance clauses to how to conform to the profiles (not 
>how the profiles conform to other specifications, which is not the 
>intent of the section)
>- used official OASIS DocBook structure in XML (not Word)
>- distinguished normative references from informative references and 
>put informative references into notes
>- used some of the UBL 2.1 annex verbatim so as to ensure 
>consistency (no need to say things differently) ... any changes, 
>then, to the profiles document should also be made in the UBL 2.1 document


--
Contact us for world-wide XML consulting & instructor-led training
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal