OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [ubl-security] Draft 07 of UBL security profiles and proposed PRD2 UBL 2.1 doc, schemas and examples


Thanks again Ken for your work.
Please find attached my comments to the profile: it is in open document with comments and revision marks enabled, derived form the html version.
Ad there are not a lot of modification, they can be applied to the original if agreed.
As you can see there, I think it's better to keep XAdES normative, even if not mandatory, because the implementor chooses if add XAdES extended properties to the signature(s) but, if yes, the document specify how to do it in a normative way.
Let me know what you think.

Andrea

cd07-UBL-DSig-1.0+AC.odt



Il giorno 16/nov/2010, alle ore 00.05, G. Ken Holman ha scritto:

> Fellow UBL Security SC members,
> 
> Please find (described below) at:
> 
>   http://www.oasis-open.org/committees/document.php?document_id=40254
> 
> [1] proposed PRD2 changes related to security (schemas, example instances, prose for the annexes) and [2] draft 07 of the UBL security profiles (a rewrite of UBL-XAdES-Profile 1.0-RC2.doc released earlier).
> 
> I have released the drafts in the same ZIP file because the two are related.
> 
> The directories in the ZIP have these files:
> 
> \    - revised sample instances for PRD2 (now with bona fide and
>        verifiable signatures)
> \profiledoc - proposed UBL security profiles rewrite (HTML and PDF)
> \ubl21doc - proposed UBL 2.1 PRD2 annex rewrite (skeletal HTML and XML)
> \xsd - proposed UBL 2.1 PRD2 extension schema changes (with PRD1
>        business objects)
> 
> Jon, I tried to hack the UBL 2.1 PRD2 annex XML in such a way that you can replace it directly in your edited content.  Also, I've summarized below the changes since we will have to document the differences between PRD1 and PRD2.  I hope I didn't miss anything.
> 
> Also, Jon, regarding the schemas and instances, this is *not* the package of SGTG replacement directories for PRD2.  Only enough for the Security SC to work with the example signed UBL documents.  The SGTG replacement directory package will come later and I'll post it to the main list.
> 
> Please let me know if anyone has any questions.  I look forward to your critical feedback.  I think everything we need is in there, but I could have easily overlooked something ... I've been staring at this stuff for days.
> 
> Thanks!
> 
> . . . . . . . . . . Ken
> 
> [1] Changes in UBL 2.1 annexes for PRD2:
> - prose changes describing new extension methodology of simply importing extension fragments (I've embedded Jon's name in some places where the changes are not obvious; I've edited the DocBook markup so it *should* be possible to simply replace the existing markup with this contributed markup as a starting point to the next round of edits)
> - de-emphasis of XAdES in line with de-emphasis of it in the Profiles document (since XAdES is embedded *inside* of XMLDSig, our extension is now solely an XMLDSig extension that users can use any way the feel, including XAdES and others)
> - revised the URI strings based on changes in the Profiles document
> - revised the XML fragment example based on changes in the Profiles document
> - added the distinction between co-signatures and countersignatures in an informative note (doesn't impact on validation or conformance)
> - cited the mechanism in XAdES of embedding information in an XMLDSig in an informative note (doesn't impact on validation or conformance)
> - updated the informative reference to 2009-06 version of XAdES
> - absent from this document is any reference to the "detached profile"; should one be added?  I think not since the reference to the signature profiles document is in the context of the extension fragment which is used only in the enveloped profile
> - absent from this document is any reference to the conformance section of the Profiles document; should one be added?
> - the example file xml/UBL-Invoice-2.0-Signed.xml is removed as it's pro-forma embedded signature was not bona fide and verifiable
> - the following example files are added (the signatures are created using a real certificate for a dummy "Demo UBL" persona using the UBL TC comment email address; the free software at http://www.CraneSoftwrights.com/resources/ubl/index.htm#digsig was used to create these files):
>    xml/UBL-Invoice-2.0-Enveloped.xml
>         - a sample UBL invoice with a bona fide verifiable embedded signature
>    xml/UBL-Invoice-2.0-Detached.xml
>         - a sample UBL invoice referencing an external detached signature
>    xml/UBL-Invoice-2.0-Detached-Signature.xml
>         - the bona fide verifiable detached signature for the sample
> - there are no references to detached signatures as there are in the profiles document ... should this change?
> 
> 
> [2] Changes in UBL Digital Signature Profiles 1.0:
> - change of the document title
> - change of URI strings from "http:" protocol to "urn:" protocol
> - change of the profiles being XAdES-specific to being XMLDSig-specific since all of XAdES is embedded inside of XMLDSig (and there may be non-XAdES users of XMLDSig who can now use these profiles)
> - major rewrite of text needs a thorough review by UBL Security SC members; while I did try and copy major blocks of content, most are tweaked in line with terminology used in UBL
> - change conformance clauses to how to conform to the profiles (not how the profiles conform to other specifications, which is not the intent of the section)
> - used official OASIS DocBook structure in XML (not Word)
> - distinguished normative references from informative references and put informative references into notes
> - used some of the UBL 2.1 annex verbatim so as to ensure consistency (no need to say things differently) ... any changes, then, to the profiles document should also be made in the UBL 2.1 document
> 
> 
> --
> Contact us for world-wide XML consulting & instructor-led training
> Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
> G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
> Legal business disclaimers:  http://www.CraneSoftwrights.com/legal
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]