RE: [ubl] The business case for signatures - is it really there?

["Kama, Kamarudin Bin Tambi" <kama@crimsonlogic.com>]

Hi Mikkel,
The requirement from the UBL TSC is for the Certificate of Origin document to be digitally signed. We have been in discussion with Peter on this. See attached.

As for the business case from a real domain, well CrimsonLogic has implemented the world's first Electronic Certificate of Origin system. It involves multi-party approval workflow. The CoO document is signed by the exporter signatory party, followed by chamber, embassy and possibly insurance party.

The UBL TSC has actually included the Peter's proposed SignatureReference ASBIE in the CoO document to ensure that we align other group's work into our work.

If there is any changes to that, please keep us updated. We are targeting to submit our work to UBL TC on the week of 26 Dec 05.

Regards
Kama
UBL TSC Chair

-----Original Message-----
From: Mikkel Hippe Brun [mailto:mhb@itst.dk] 
Sent: Tuesday, December 13, 2005 3:44 PM
To: 'ubl@lists.oasis-open.org'
Subject: [ubl] The business case for signatures - is it really there?

Dear all,

A signature class is now being proposed to be a part of all UBL documents.

The following business case for this class has been explained to me: Prior
to the exchange of a UBL document, authorized persons may have been required
to digitally approve internal process steps. For an electronic order this
could be the flow:

1. An employee in Big Inc. (Mrs. Imonitorstock) discovers that the stock of
pencils is critically low and sends a request to the purchasing department.
This request is digitally signed.
2. An employee (Mr. Underdog) in the purchasing department creates an Order
and sends it to his boss Mr. Imakethedecision. The signature part of the
Order contains metadata about the signature applied by Mrs. Imonitorstock.
The order is off course signed by Mr. Underdog.
3. Mr. Imakethedecision verifies the signature applied by the order by Mr.
Underdog, adds another ten pencils to the order. The signature metadata of
Mr. Underdog is added to the order and the order is digitally signed by Mr.
Imakethedecision and sent to the supplier.

The above example demonstrates that the signature part proposed to all UBL
messages contains information about previous signatures and approvals
involved in the internal workflow of the organization sending a message. It
is not an attempt to store metadata about the signature applied to the
message on its way from sender to receiver. (This would off course also be
impossible unless you only signed a subset of the document).

The need for the Signature class has come up in the Transport group and
probably for a good reason. I propose that we do not add the Signature class
to documents where we have not seen a strong business case from a real
domain. Academic arguments stating that it would be "nice to have" do not
carry the same weight.

Let's keep UBL on the 80/20 track.

- mikkel


Mikkel Hippe Brun 
Chief Consultant, M.Sc. 
Phone: +45 3337 9220 
Cell: +45 2567 4252 
E-mail: mhb@itst.dk 

National IT and Telecom Agency 
Office of IT Strategy 
Holsteinsgade 63 
DK-2100 Copenhagen Ø 
Denmark 
Phone: +45  3545 0000 
Fax: +45 3545 0010 
www.itst.dk 
itst@itst.dk 

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

--- Begin Message ---

• From: "Kama, Kamarudin Bin Tambi" <kama@crimsonlogic.com>
• To: "Peter Larsen Borresen" <plb@itst.dk>,<ubl-tsc@lists.oasis-open.org>,<ubl-psc@lists.oasis-open.org>
• Date: Fri, 18 Nov 2005 16:52:32 +0800

Hi Peter,

Sorry for the belated reply. Well, as the saying goes, better late than
never. The past 1-month, we've been focusing on finalizing the TSC data
models.

 

In regards to your question, current COML uses the W3C XML DigSig. That
in itself is an ASBIE. We like to explore further your proposed
SignatureReference ABIE, perhaps with more detailed explanation. The
sample file UBL-Order-1.0-Office-Example_with signatureReference.xml
contains the SignatureReference but did not contain the actual
signature. From an implementation perspective, this is not sufficient.
It simply contains the SignatureReference, but the actual signature
which is being referenced to is not there. The actual signature is
needed as well.

 

If you could provide the detailed explanation, in terms of the meaning
of each element, and the sample file with the sample signature, that'll
allow us to understand better and see if it can actually suit our
requirement.

 

Rgds

kama

 

-----Original Message-----
From: Peter Larsen Borresen [mailto:plb@itst.dk] 
Sent: Tuesday, October 11, 2005 7:49 PM
To: Kama, Kamarudin Bin Tambi; ubl-tsc@lists.oasis-open.org;
ubl-psc@lists.oasis-open.org
Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio
Subject: SV: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature
refenrence]

 

Hi Kama

 

Do I understand you correctly that what you need is a ASBIE that

 

1) contains (embed) or refer to the actual signature.

2) contains (embed) or refer to the document that has been signed.

 

It is significant to know whether there is a need for actual containing
the signature or whether a reference is enough.

 

King ragards

 

Peter

	-----Oprindelig meddelelse-----
	Fra: Kama, Kamarudin Bin Tambi [mailto:kama@crimsonlogic.com]
	Sendt: 11. oktober 2005 04:38
	Til: Peter Larsen Borresen; ubl-tsc@lists.oasis-open.org;
ubl-psc@lists.oasis-open.org
	Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio
	Emne: RE: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature
refenrence]

	Hi Peter,

	Pls see my response below.

	 

	Rgds

	kama

	 

	-----Original Message-----
	From: Peter Larsen Borresen [mailto:plb@itst.dk] 
	Sent: Thursday, September 29, 2005 10:40 PM
	To: Kama, Kamarudin Bin Tambi; ubl-tsc@lists.oasis-open.org;
ubl-psc@lists.oasis-open.org
	Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio
	Subject: SV: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature
refenrence]

	 

	Hi Kama

	 

	Do I understand you correctly when that ebXML supports a
solution where the xml-document and the signature are in the same
envelope, but in different payloads?

	            Kama>> Think you've misunderstood. COML is not a
messaging protocol but a business document. What we mentioned is that in
our solution, the COML approach is independent of the messaging layer.
The digsig is embedded inside the COML document and is used by the
application for multi-signer approval workflows. In ebXML case, the
digsig done in the soap header is only used for the transport layer.

	 

	What I suggest is that the xml-document becomes able to refer to
the signature, not only as a URL but also as a Mime reference. 

	            Kama>> OK, noted.

	 

	The problem with embeddign the siganture in the xml-document is 

	1) it becomes invalid if it is transformed to an other document.


	            Kama>> How does this differ from your proposed
approach? Whenever any XML document is being transformed, the digsig is
no longer valid.

	 

	2) A digital signature on a xml document is not valid in legal
terms. Only a transformation of a xml-document can be brought into a
court room.

	            Kama>> Think lets not get into the legal aspect of
it. Each country will have its own Electronic Transaction Act.
Interpretation might differ from country to country.

	 

	3) A digital signature with the purpose of ensuring that no one
has tampered with the document has nothing to do in a procurement
document. This is a matter for the transportation layer.

	            Kama>> This depends on whether the entire
procurement process requires the document to be signed or not. 

	 

	What is needed at the business level is infomation about whether
someone actual has aproved the document. On the other hand, to reference
the signature gives you problem with consistency and persistency. This
can be solved by adding two more fields in document reference:
GaranteeStoragePeriode and Hashcode (perhaps hashmethod as well).

	Kama>> So, there's a problem with detached signature?

	 

	I would like to here more about your requirements.

	 

	Kind regards

	 

	Peter L. Borresen

		-----Oprindelig meddelelse-----
		Fra: Kama, Kamarudin Bin Tambi
[mailto:kama@crimsonlogic.com]
		Sendt: 29. september 2005 09:02
		Til: ubl-tsc@lists.oasis-open.org;
ubl-psc@lists.oasis-open.org; Peter Larsen Borresen
		Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang,
Thio
		Emne: RE: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a
signature refenrence]

		Hi Peter, Tim,

		Sorry for the late response. We have reviewed the
proposal for signature reference. Below is our comment:-

		 

		1.      The signature reference calls for the usage of
detached signature. This would be useful in scenario where binary data
is involved and where the referenced signature is always available and
accessible via the specified URL 

		2.      Both ebXML messaging service and COML however
uses the enveloped approach, wherein the digital signature (digsig) is
embedded inside the message itself. In the case of COML, XPath is being
used to reference the appropriate section of the payload that needs the
digsig. This is a preferred approach where we need to perform online
verification of digsig. Hence, there will not be a need to make
reference to an external resource, which may not be available at the
time when the digsig verification is being performed. This reduces the
possibility of digsig failure. 

		 

		We would urge that you study the COML approach in
handling digsig for XML payload.

		 

		Regards

		Kama

		UBL TSC Chair

		 

		 

		-----Original Message-----
		From: Tim McGrath [mailto:tmcgrath@portcomm.com.au] 
		Sent: Tuesday, September 13, 2005 9:06 PM
		To: ubl-tsc@lists.oasis-open.org
		Subject: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a
signature refenrence]

		 

		forwarded from Peter Borresen.  
		
		this is a sample isnatcen of his propsoed digital
signature approach.  can we get some technical feedback on the
suitability of this for our needs.
		
		-------- Original Message -------- 

Subject: 

[ubl-psc] Proposal for a signature refenrence

Date: 

Tue, 13 Sep 2005 14:11:49 +0200

From: 

Peter Larsen Borresen <plb@itst.dk> <mailto:plb@itst.dk> 

To: 

ubl-psc@lists.oasis-open.org, "'ytlee@cecid.hku.hk'"
<mailto:'ytlee@cecid.hku.hk'>  <ytlee@cecid.hku.hk>
<mailto:ytlee@cecid.hku.hk> 

CC: 

'jon.bosak@sun.com' <jon.bosak@sun.com> <mailto:jon.bosak@sun.com> 

		 

		Hallo Thomas and Procurement subcommitee
		 
		Please find my proposal for a signature reference in the
xml-spy screen
		dump and xml example file.
		 
		 
		Best regards
		 
		Peter L. Borresen
		 
		 <<SignatureReference.gif>>
<<UBL-Order-1.0-Office-Example_with
		signatureReference.xml>> 
		 

		 

		-- 
		regards
		tim mcgrath
		phone: +618 93352228  
		postal: po box 1289   fremantle    western australia
6160
		 
		DOCUMENT ENGINEERING: Analyzing and Designing Documents
for Business Informatics and Web Services
	
http://mitpress.mit.edu/catalog/item/default.asp?sid=632C40AB-4E94-4930-
A94E-22FF8CA5641F&ttype=2&tid=10476

--- End Message ---