[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ubl] The business case for signatures - is it really there?
Hi Mikkel, The requirement from the UBL TSC is for the Certificate of Origin document to be digitally signed. We have been in discussion with Peter on this. See attached. As for the business case from a real domain, well CrimsonLogic has implemented the world's first Electronic Certificate of Origin system. It involves multi-party approval workflow. The CoO document is signed by the exporter signatory party, followed by chamber, embassy and possibly insurance party. The UBL TSC has actually included the Peter's proposed SignatureReference ASBIE in the CoO document to ensure that we align other group's work into our work. If there is any changes to that, please keep us updated. We are targeting to submit our work to UBL TC on the week of 26 Dec 05. Regards Kama UBL TSC Chair -----Original Message----- From: Mikkel Hippe Brun [mailto:firstname.lastname@example.org] Sent: Tuesday, December 13, 2005 3:44 PM To: 'email@example.com' Subject: [ubl] The business case for signatures - is it really there? Dear all, A signature class is now being proposed to be a part of all UBL documents. The following business case for this class has been explained to me: Prior to the exchange of a UBL document, authorized persons may have been required to digitally approve internal process steps. For an electronic order this could be the flow: 1. An employee in Big Inc. (Mrs. Imonitorstock) discovers that the stock of pencils is critically low and sends a request to the purchasing department. This request is digitally signed. 2. An employee (Mr. Underdog) in the purchasing department creates an Order and sends it to his boss Mr. Imakethedecision. The signature part of the Order contains metadata about the signature applied by Mrs. Imonitorstock. The order is off course signed by Mr. Underdog. 3. Mr. Imakethedecision verifies the signature applied by the order by Mr. Underdog, adds another ten pencils to the order. The signature metadata of Mr. Underdog is added to the order and the order is digitally signed by Mr. Imakethedecision and sent to the supplier. The above example demonstrates that the signature part proposed to all UBL messages contains information about previous signatures and approvals involved in the internal workflow of the organization sending a message. It is not an attempt to store metadata about the signature applied to the message on its way from sender to receiver. (This would off course also be impossible unless you only signed a subset of the document). The need for the Signature class has come up in the Transport group and probably for a good reason. I propose that we do not add the Signature class to documents where we have not seen a strong business case from a real domain. Academic arguments stating that it would be "nice to have" do not carry the same weight. Let's keep UBL on the 80/20 track. - mikkel Mikkel Hippe Brun Chief Consultant, M.Sc. Phone: +45 3337 9220 Cell: +45 2567 4252 E-mail: firstname.lastname@example.org National IT and Telecom Agency Office of IT Strategy Holsteinsgade 63 DK-2100 Copenhagen Ø Denmark Phone: +45 3545 0000 Fax: +45 3545 0010 www.itst.dk email@example.com --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
--- Begin Message ---
- From: "Kama, Kamarudin Bin Tambi" <firstname.lastname@example.org>
- To: "Peter Larsen Borresen" <email@example.com>,<firstname.lastname@example.org>,<email@example.com>
- Date: Fri, 18 Nov 2005 16:52:32 +0800Hi Peter, Sorry for the belated reply. Well, as the saying goes, better late than never. The past 1-month, we've been focusing on finalizing the TSC data models. In regards to your question, current COML uses the W3C XML DigSig. That in itself is an ASBIE. We like to explore further your proposed SignatureReference ABIE, perhaps with more detailed explanation. The sample file UBL-Order-1.0-Office-Example_with signatureReference.xml contains the SignatureReference but did not contain the actual signature. From an implementation perspective, this is not sufficient. It simply contains the SignatureReference, but the actual signature which is being referenced to is not there. The actual signature is needed as well. If you could provide the detailed explanation, in terms of the meaning of each element, and the sample file with the sample signature, that'll allow us to understand better and see if it can actually suit our requirement. Rgds kama -----Original Message----- From: Peter Larsen Borresen [mailto:firstname.lastname@example.org] Sent: Tuesday, October 11, 2005 7:49 PM To: Kama, Kamarudin Bin Tambi; email@example.com; firstname.lastname@example.org Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio Subject: SV: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence] Hi Kama Do I understand you correctly that what you need is a ASBIE that 1) contains (embed) or refer to the actual signature. 2) contains (embed) or refer to the document that has been signed. It is significant to know whether there is a need for actual containing the signature or whether a reference is enough. King ragards Peter -----Oprindelig meddelelse----- Fra: Kama, Kamarudin Bin Tambi [mailto:email@example.com] Sendt: 11. oktober 2005 04:38 Til: Peter Larsen Borresen; firstname.lastname@example.org; email@example.com Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio Emne: RE: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence] Hi Peter, Pls see my response below. Rgds kama -----Original Message----- From: Peter Larsen Borresen [mailto:firstname.lastname@example.org] Sent: Thursday, September 29, 2005 10:40 PM To: Kama, Kamarudin Bin Tambi; email@example.com; firstname.lastname@example.org Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio Subject: SV: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence] Hi Kama Do I understand you correctly when that ebXML supports a solution where the xml-document and the signature are in the same envelope, but in different payloads? Kama>> Think you've misunderstood. COML is not a messaging protocol but a business document. What we mentioned is that in our solution, the COML approach is independent of the messaging layer. The digsig is embedded inside the COML document and is used by the application for multi-signer approval workflows. In ebXML case, the digsig done in the soap header is only used for the transport layer. What I suggest is that the xml-document becomes able to refer to the signature, not only as a URL but also as a Mime reference. Kama>> OK, noted. The problem with embeddign the siganture in the xml-document is 1) it becomes invalid if it is transformed to an other document. Kama>> How does this differ from your proposed approach? Whenever any XML document is being transformed, the digsig is no longer valid. 2) A digital signature on a xml document is not valid in legal terms. Only a transformation of a xml-document can be brought into a court room. Kama>> Think lets not get into the legal aspect of it. Each country will have its own Electronic Transaction Act. Interpretation might differ from country to country. 3) A digital signature with the purpose of ensuring that no one has tampered with the document has nothing to do in a procurement document. This is a matter for the transportation layer. Kama>> This depends on whether the entire procurement process requires the document to be signed or not. What is needed at the business level is infomation about whether someone actual has aproved the document. On the other hand, to reference the signature gives you problem with consistency and persistency. This can be solved by adding two more fields in document reference: GaranteeStoragePeriode and Hashcode (perhaps hashmethod as well). Kama>> So, there's a problem with detached signature? I would like to here more about your requirements. Kind regards Peter L. Borresen -----Oprindelig meddelelse----- Fra: Kama, Kamarudin Bin Tambi [mailto:email@example.com] Sendt: 29. september 2005 09:02 Til: firstname.lastname@example.org; email@example.com; Peter Larsen Borresen Cc: Grace Ng, Swee Lee (T&L); Jern Kuan, Leong; Fu Wang, Thio Emne: RE: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence] Hi Peter, Tim, Sorry for the late response. We have reviewed the proposal for signature reference. Below is our comment:- 1. The signature reference calls for the usage of detached signature. This would be useful in scenario where binary data is involved and where the referenced signature is always available and accessible via the specified URL 2. Both ebXML messaging service and COML however uses the enveloped approach, wherein the digital signature (digsig) is embedded inside the message itself. In the case of COML, XPath is being used to reference the appropriate section of the payload that needs the digsig. This is a preferred approach where we need to perform online verification of digsig. Hence, there will not be a need to make reference to an external resource, which may not be available at the time when the digsig verification is being performed. This reduces the possibility of digsig failure. We would urge that you study the COML approach in handling digsig for XML payload. Regards Kama UBL TSC Chair -----Original Message----- From: Tim McGrath [mailto:firstname.lastname@example.org] Sent: Tuesday, September 13, 2005 9:06 PM To: email@example.com Subject: [ubl-tsc] [Fwd: [ubl-psc] Proposal for a signature refenrence] forwarded from Peter Borresen. this is a sample isnatcen of his propsoed digital signature approach. can we get some technical feedback on the suitability of this for our needs. -------- Original Message -------- Subject: [ubl-psc] Proposal for a signature refenrence Date: Tue, 13 Sep 2005 14:11:49 +0200 From: Peter Larsen Borresen <firstname.lastname@example.org> <mailto:email@example.com> To: firstname.lastname@example.org, "'email@example.com'" <mailto:'firstname.lastname@example.org'> <email@example.com> <mailto:firstname.lastname@example.org> CC: 'email@example.com' <firstname.lastname@example.org> <mailto:email@example.com> Hallo Thomas and Procurement subcommitee Please find my proposal for a signature reference in the xml-spy screen dump and xml example file. Best regards Peter L. Borresen <<SignatureReference.gif>> <<UBL-Order-1.0-Office-Example_with signatureReference.xml>> -- regards tim mcgrath phone: +618 93352228 postal: po box 1289 fremantle western australia 6160 DOCUMENT ENGINEERING: Analyzing and Designing Documents for Business Informatics and Web Services http://mitpress.mit.edu/catalog/item/default.asp?sid=632C40AB-4E94-4930- A94E-22FF8CA5641F&ttype=2&tid=10476--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]