[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ubl-security] Draft 07 of UBL security profiles and proposed PRD2 UBL 2.1 doc, schemas and examples
Fellow UBL Security SC members, Today I augmented my free UBL signing application to include an externally supplied <ds:Object> element such as one created to conform to XAdES V1.4.1. It is the responsibility of the user to create such a <ds:Object> with what they need in the XAdES extension to the XML Digital Signature. Having created the extension as a separate file, it is seeded with signals telling my software which pieces of the extension are signed: http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig Now that I've created some XAdES test signatures, I realized because of the new schema validation strategy of "lax" instead of "strict" that I can include the two XAdES schema fragments (versions 1.3.2 and 1.4.1) in the UBL distribution. The "lax" validation means that if a particular user community is *not* using XAdES, there isn't a problem. If the *are* using XAdES, then their use of XAdES will be validated. I've made the schema changes locally and I'm proposing today that the schemas I send to Jon for packaging PRD2 include the XAdES fragments. Please let me know if you can think of any problems with this so we can discuss if I should revert to an agnostic XML digital signature extension object. Otherwise, I'll put them in the next distribution and we'll see what our users feel. Thanks! . . . . . . . . . . . Ken At 2010-11-15 18:05 -0500, I wrote: >Fellow UBL Security SC members, > >Please find (described below) at: > > http://www.oasis-open.org/committees/document.php?document_id=40254 > >[1] proposed PRD2 changes related to security (schemas, example >instances, prose for the annexes) and [2] draft 07 of the UBL >security profiles (a rewrite of UBL-XAdES-Profile 1.0-RC2.doc >released earlier). > >I have released the drafts in the same ZIP file because the two are related. > >The directories in the ZIP have these files: > > \ - revised sample instances for PRD2 (now with bona fide and > verifiable signatures) > \profiledoc - proposed UBL security profiles rewrite (HTML and PDF) > \ubl21doc - proposed UBL 2.1 PRD2 annex rewrite (skeletal HTML and XML) > \xsd - proposed UBL 2.1 PRD2 extension schema changes (with PRD1 > business objects) > >Jon, I tried to hack the UBL 2.1 PRD2 annex XML in such a way that >you can replace it directly in your edited content. Also, I've >summarized below the changes since we will have to document the >differences between PRD1 and PRD2. I hope I didn't miss anything. > >Also, Jon, regarding the schemas and instances, this is *not* the >package of SGTG replacement directories for PRD2. Only enough for >the Security SC to work with the example signed UBL documents. The >SGTG replacement directory package will come later and I'll post it >to the main list. > >Please let me know if anyone has any questions. I look forward to >your critical feedback. I think everything we need is in there, but >I could have easily overlooked something ... I've been staring at >this stuff for days. > >Thanks! > >. . . . . . . . . . Ken > >[1] Changes in UBL 2.1 annexes for PRD2: >- prose changes describing new extension methodology of simply >importing extension fragments (I've embedded Jon's name in some >places where the changes are not obvious; I've edited the DocBook >markup so it *should* be possible to simply replace the existing >markup with this contributed markup as a starting point to the next >round of edits) >- de-emphasis of XAdES in line with de-emphasis of it in the >Profiles document (since XAdES is embedded *inside* of XMLDSig, our >extension is now solely an XMLDSig extension that users can use any >way the feel, including XAdES and others) >- revised the URI strings based on changes in the Profiles document >- revised the XML fragment example based on changes in the Profiles document >- added the distinction between co-signatures and countersignatures >in an informative note (doesn't impact on validation or conformance) >- cited the mechanism in XAdES of embedding information in an >XMLDSig in an informative note (doesn't impact on validation or conformance) >- updated the informative reference to 2009-06 version of XAdES >- absent from this document is any reference to the "detached >profile"; should one be added? I think not since the reference to >the signature profiles document is in the context of the extension >fragment which is used only in the enveloped profile >- absent from this document is any reference to the conformance >section of the Profiles document; should one be added? >- the example file xml/UBL-Invoice-2.0-Signed.xml is removed as it's >pro-forma embedded signature was not bona fide and verifiable >- the following example files are added (the signatures are created >using a real certificate for a dummy "Demo UBL" persona using the >UBL TC comment email address; the free software at >http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig was >used to create these files): > xml/UBL-Invoice-2.0-Enveloped.xml > - a sample UBL invoice with a bona fide verifiable > embedded signature > xml/UBL-Invoice-2.0-Detached.xml > - a sample UBL invoice referencing an external detached signature > xml/UBL-Invoice-2.0-Detached-Signature.xml > - the bona fide verifiable detached signature for the sample >- there are no references to detached signatures as there are in the >profiles document ... should this change? > > >[2] Changes in UBL Digital Signature Profiles 1.0: >- change of the document title >- change of URI strings from "http:" protocol to "urn:" protocol >- change of the profiles being XAdES-specific to being >XMLDSig-specific since all of XAdES is embedded inside of XMLDSig >(and there may be non-XAdES users of XMLDSig who can now use these profiles) >- major rewrite of text needs a thorough review by UBL Security SC >members; while I did try and copy major blocks of content, most are >tweaked in line with terminology used in UBL >- change conformance clauses to how to conform to the profiles (not >how the profiles conform to other specifications, which is not the >intent of the section) >- used official OASIS DocBook structure in XML (not Word) >- distinguished normative references from informative references and >put informative references into notes >- used some of the UBL 2.1 annex verbatim so as to ensure >consistency (no need to say things differently) ... any changes, >then, to the profiles document should also be made in the UBL 2.1 document -- Contact us for world-wide XML consulting & instructor-led training Crane Softwrights Ltd. http://www.CraneSoftwrights.com/o/ G. Ken Holman mailto:gkholman@CraneSoftwrights.com Legal business disclaimers: http://www.CraneSoftwrights.com/legal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]