OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ubl message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: UBL Profile for XML Digital Signatures and XAdES implementation


(posted to the TC list as I do not have posting 
privileges to the Security SC list; I was invited 
to comment specifically on this posting and resulting thread:
http://lists.oasis-open.org/archives/ubl-security/200911/msg00002.html
)

At 2009-11-24 10:23 +0100, Julißn Inza wrote:
>Here is the last iteration of the document.

Please forgive my tardy response to this posting, 
but I have just completed over a month full of 
teaching in Europe, US and Asia.  I finally have 
had time to look over the details and post before 
I head home from Delhi, India.

First let me say that I do not have a background 
in digital signatures, and I've approached this 
document as an implementer wanting to learn how 
digital signatures are to be used with UBL.  I 
hope my comments are considered helpful, but be 
prepared that they may be na´ve of security 
issues and that other readers of the document may 
be similarly na´ve and would need guidance.

I was asked specifically to comment on the 
referencing, and so will focus some points 
there.  I also note some editorial issues that 
the editors of the document will likely need to 
address to make the document acceptable to the 
OASIS management.  I first respond to some 
comments made in the email thread and then offer my comments on the document.

In all, it looks remarkably straightforward.  I 
thought it would be more complicated than what I see.

>In yellow is marked what I think needs further discussion.

Thank you for highlighting that which needs focus 
as doing so helps to save time.

I see in the thread that Roberto and Andrea have 
both contributed to the discussion, so I will try 
to bring their comments into my proposal.

>Originally the reference  to the element 
><ds:Signature> in  <cac:Signature> was done 
>through 
>cac:DigitalSignatureAttachment/cac:ExternalReference/cbc:URI 
>using Id (unique identifier) from  <ds:Signature>.
>
>Now there are two references
>-          cac:Signature/cbc:ID using Id (unique 
>identifier) from  <ds:Signature>.
>- 
>cac:DigitalSignatureAttachment/cac:ExternalReference/cbc:URI 
>using a  #xpointer to  ds:Signature

Periodically, discussions are held over the 
benefits of XPointer and whether or not it is 
useful.  Technically it seems to be well 
received, but very few projects use it, and I'm 
told that some who do use it are using it 
improperly.  There is not a lot of vendor support for it.

>I think this adds complexity and I don┤t understand why could be useful.

I feel that XPointer is not consistent with the 
ways in which identifiers are specified in UBL 
and that any signature solution should try to be 
consistent.  It would not serve our users well to 
have different ways of making 
references.  Currently no attributes are being 
used for identifiers.  ID and IDREF are not 
employed in UBL.  All information is in elements 
that are or are candidates to become core 
components, and attributes are only used as 
supplementary components to elements.

Therefore, I think we need to eschew any use of 
attributes for referencing and find ways of 
making references by using elements and 
associating identifiers.  Thankfully, I see in 
the XML Signature core specification that all id= 
attributes within <ds:Signature> are optional, so 
we are not obliged to use an attribute.  So where 
we need one we should probably wrap 
<ds:Signature> in an aggregate in order to 
associate a cbc:ID sibling of ds:Signature to be 
consistent with UBL design practices (but not, of 
course, if their absence violates some of the 
rules of XML signatures).  Also, by creating our 
own wrapper, if in the future we have to add more 
than just an identifier we now have a place to do 
so (if ds:* were the top-level element, we wouldn't).

Similarly, while XPath is an ideal language for 
addressing components of XML documents, and while 
it is used in cac:DocumentReference/cbc:XPath to 
point into referenced documents, we haven't yet 
employed it to associate components of UBL 
documents with each other.  Moreover, I think 
though the precedent has been set to embed XPath 
information in an XML document, from an 
implementation perspective this may be 
awkward.  Some transformation technologies 
(notably XQuery and XSLT) are unable to evaluate 
XPath addresses at run time and can only work 
with XPath addresses at compile time.  This may 
be sufficient reason not to use them.

At 2009-11-27 22:13 +0100, Andrea Caccia wrote:
>About identification of the signature: 
>ds:Signature has an ID so it must be unique in 
>the XML document;  if I'm not 
>wrong,  cac:Signature/cbc:ID is mandatory when 
>cac:Signature is present. Taking this into 
>account, if we put in cbc:ID the ID associated 
>with ds:Signature the link is unique and 
>unambiguous, so we can avoid to have 
>cac:DigitalSignatureAttachment/cac:ExternalReference/cbc:URI 
>with the #xpointer as it is redundant and, I 
>agree with you, does not add any additional information.

Good ... I agree with anything that will take away the XPointer value.

Unfortunately, though, we cannot follow through 
with your suggestion to utilize the 
cac:Signature/cbc:ID value as the 
ds:Signature/@id value as they have different 
lexical constraints.  It is easily possible to 
have a cbc:ID value that violates the constraints of xsd:ID.

Thus, we are back to my suggestion that we need 
to wrap ds:Signature with an aggregate in order 
to associate a cbc:ID with ds:Signature.

The top-level element for a user extension under 
the UBL extension point cannot be in any of the 
UBL namespaces according to current 
practice.  But we are creating this as a 
*standardized* UBL extension and not as an ad-hoc 
user extension.  Thus, contrary to what one might 
consider, we could utilize the 
already-standardized aggregate namespace for this 
new aggregate.  This would require some 
ratification by the TC as it would be the first 
time we've added an item to the common library 
for use in an extension that isn't being used in 
the body of UBL documents.  Furthermore, since 
the common library has already been published, is 
it improper to have yet more elements added to 
the namespace?  I suspect this last issue is not 
a problem since UBL 2.1 will be using the 
namespace for other new aggregates being added to the common library.

But an argument not to use the common library 
namespace is that this signature method will 
*always* be under the UBL extension point and 
will not be "moved" into the document tree as 
part of UBL 2.1 or future releases of UBL.  And 
it is our committee's first example of a 
standardized extension.  Users creating their own 
ad-hoc extensions would see what we've done in 
using a non-CAC namespace for our own work.

I invite debate on the above.  In that debate I 
think I would side with the UBL committee 
creating a new non-CAC namespace as the namespace 
of the top-level element under the extension 
point for a UBL-Security extension.

>About SignatoryParty I think the important 
>information is to identify what is the party 
>that is signing: the seller, the buyer or a 
>third party. This is specially important if the 
>signed document is an invoice. I'm not an UBL 
>expert but as SignatoryParty it's better to have 
>an identifier that is meaningful from the business point of view:

We are unable to change the definition of 
SignatoryParty.  I believe that throughout UBL it 
is not uncommon to have the same physical party 
details listed under different logical party 
elements.  But it is not possible that I know of 
to use references from one logical party to 
another logical party to indicate the two parties are the same physical party.

>in this sense we can also avoid to use the 
>Subject DN (it is likely that it is a parameter 
>you get from the signature verification process as part of the result).

In my example below I've indicated how it might be specified if it is needed.

>So my idea is to let the implementor the freedom 
>to insert here what could be relevant as 
>identification of the signing entity at the business/legal processing level.
>I propose to use the optional cbc:Note field 
>available inside cac:Signature to bring the 
>mandatory note you have to mention if the 
>invoice is not signed by the seller (i.e. 
>"issued on behalf of the seller" or whatever the 
>regulation of the seller country mandates).

I think this is entirely appropriate and see no 
problems, though we could only propose that as a 
guideline as I don't think we could mandate the wording of the content.

So, looking at the "UBL [XAdES] Profile Version 
1.0 3 September 2009" document, I offer the 
following technical and editorial 
comments.  Again, please forgive any na´vetÚ 
regarding the digital signature specification.

I'm using the definitions for extension metadata 
embedded as annotation elements in:

http://docs.oasis-open.org/ubl/os-UBL-2.0-update/xsd/common/UBL-CommonExtensionComponents-2.0.xsd

Technical comments:

Here is an example of how I might embed the 
signature information.  Those items with #PCDATA 
surrounded by asterisks would be simple user 
input and not standardized or suggested 
content.  Looking at each definition, I interpret 
those I've marked with asterisks as up to the 
writer of the UBL document to define, and the 
others as up to the UBL committee to define ... 
though I may be mistaken about this given they 
aren't distinguished in their name.  In fact I'm 
now questioning my assumption because I suppose 
all of the items could be oriented to the *user* 
of the extension rather than to the 
*standardizer* of the extension.  I welcome input 
on this, especially from Stephen Green who helped 
come up with the extension metadata.

<ext:UBLExtension>
   <cbc:ID>*DemoSig*</cbc:ID>
   <cbc:Name>*Demonstration of signature*</cbc:Name>
   <ext:ExtensionAgencyID>UBL</ext:ExtensionAgencyID>
   <ext:ExtensionAgencyName>OASIS Universal 
Business Language</ext:ExtensionAgencyName>
   <ext:ExtensionVersionID>0.1</ext:ExtensionVersionID>
   <ext:ExtensionAgencyURI>http://www.oasis-open.org</ext:ExtensionAgencyURI>
   <ext:ExtensionURI>urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2</ext:ExtensionURI>
   <ext:ExtensionReasonCode 
listURI="*urn:x-Demo:Demo:ReasonCodes*">*1*</ext:ExtensionReasonCode>
   <ext:ExtensionReason>*Security*</ext:ExtensionReason>
   <ext:ExtensionContent>
     <sig:Signature 
xmlns:sig="urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2">
       <cbc:ID>*AnySignatureID*</cbc:ID>
       <ds:Signature Id="AnySignatureID"
                     xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
                     xmlns:xades="http://uri.etsi.org/01903/v1.4.1#";>
         [...]
       </ds:Signature>
     </sig:Signature>
   </ext:ExtensionContent>
</ext:UBLExtension>

Note that I am consciously reusing the common 
basic component identifier rather than coming up 
with a new element (extensions should re-use components where already defined).

I think the URI syntax we use should be 
consistent with other UBL URI strings (and my use 
of "-cd01" is consistent with an editorial comment below):

<cac:Signature>
   <cbc:ID>*AnySignatureID*</cbc:ID>
   <cbc:Note>*issued on behalf of the seller*</cbc:Note>
   <cbc:SignatureMethod>urn:oasis:names:specification:ubl:method:dsigp-1.0-cd01</cbc:SignatureMethod>
   <cac:SignatoryParty>
     <cac:PartyIdentification>
       <cbc:ID 
schemeURI="<http://www.ietf.org/rfc/rfc4514.txt>http://www.ietf.org/rfc/rfc4514.txt";>*Subject 
Distinguished Name*</cbc:ID>
     </cac:PartyIdentification>
   </cac:SignatoryParty>
</cac:Signature>

Note that I'm assuming the string 
"X509SubjectName" in the document wasn't an 
international standard and was merely a proposed string by the SC.

Editorial comments:

- "Editosr" -> "Editors"
- in the "This version" section, one of the files 
must be marked as the authoritative copy
- in the "This version" section, the URI strings should probably be:
     ..../securitysc/dsigp-1.0/dsigp-1.0-cd01.*
- the "Latest version" must be a set of generic URI strings without versions:
     ..../securitysc/dsigp-1.0/dsigp-1.0.*
   ... and OASIS management will create the 
necessary links from the "Latest version" URIs to the "This version" URIs
- the "Declared XML Namespace(s)" section is only 
for those namespaces created by this 
specification ... thus there would only be one 
(which I do not see in the list yet) which is the 
one we standardize for the UBL Extension namespace
- the "Contributors" section is usually an annex 
titled "Acknowledgements (Non-Normative" and not 
included at the front of the document
- under "Notices" the copyright year should be 
"2009" (or I suppose "2010" if we think it won't be done in the next month)
- "3 Object" -> "3 Objectives"
- I think attention should be paid to each major 
section to indicate if the section is normative 
or non-normative relative to the definition of 
the specification; for example, section one is 
normative as it is describing that which is being 
specified.  But section two, while helpful 
information that should be included, I believe is 
non-normative (and should be marked as such) 
because the specification wouldn't change if you 
removed the section; it is supportive descriptive 
material but not support prescriptive 
material.  The objectives are normative.  Section 
4 is, of course, normative.  As is 
conformance.  So my opinion is that section 2 and 
the annexes are the ones to be marked as "non-normative"
- should section 4.1 become section 3.1 so that 
the fall under objectives of digital signatures 
in UBL?  They are still normative, but they look 
out of place in section 4 and I think are more 
appropriate as a section 3.1 (or 3.2 if the 
current 3 becomes 3.1) ... that would leave 
section 4 purely for the specification details
- I think sentences like "This guarantee that the 
signed document remains conformant to the UBL 
syntax." would be moved to a non-normative section
- section 4.4 should be moved to be the 
conformance section ... those certainly read as 
if they were conformance clauses
- I think conformance clauses should be numbered 
for easy distinction and identification


I hope this input helps.  I am sorry that it took 
so long for me to review this, but I wanted to 
write a considered response and not just a 
quickie.  None of the above is cast in stone ... 
merely my input to your deliberations.

Good luck finalizing the details!  Do not 
hesitate to ask me any questions or to ask others 
on the committee if I've messed up in my suggestions.

. . . . . . . . . . . . Ken

--
Vote for your XML training:   http://www.CraneSoftwrights.com/o/i/
Crane Softwrights Ltd.          http://www.CraneSoftwrights.com/o/
Training tools: Comprehensive interactive XSLT/XPath 1.0/2.0 video
Video lesson:    http://www.youtube.com/watch?v=PrNjJCh7Ppg&fmt=18
Video overview:  http://www.youtube.com/watch?v=VTiodiij6gE&fmt=18
G. Ken Holman                 mailto:gkholman@CraneSoftwrights.com
Male Cancer Awareness Nov'07  http://www.CraneSoftwrights.com/o/bc
Legal business disclaimers:  http://www.CraneSoftwrights.com/legal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]