[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: wd-08
I added lots of changes from Juan Carlos, Nick, Frederick, and myself. Also I expanded the text in several places to make it more clear. http://www.oasis-open.org/apps/org/workgroup/dss/download.php/4428/oasis-dss-1.0-core-spec-wd-08.doc http://www.oasis-open.org/apps/org/workgroup/dss/download.php/4429/oasis-dss-1.0-core-schema-wd-08.xsd There's no pdf cause my pdf-making thing broke. Could someone else make one? There's no timestamp schema cause I moved the timestamp elements into the core schema. Here are a list of changes I decided to make while working on the document. These haven't received much (or any) discussion yet. Please let me know if you disagree with any of them. Below that are lists of changes that were proposed and discussed on the list. ------------------------------- - <SignaturePtr> - the text now says that this may only be used in the verify protocol, when sending a signature to the server. Since knowing the location of the signature is necessary for the server to apply the Enveloped Signature Transform, I don't think we can eliminate this. - NameType - made the 'Format' attribute required, instead of optional. - <ResultMajor> / <ResultMinor> are changed from QNames to a String / URI, respectively. This is simple for ResultMajor, since it only assumes 3 values (Success, RequesterError, ResponderError), and lets ResultMinor be extensible without the bother of QNames. - The <ResultMinor> codes for verification are expanded. In particular, there are 3 different success codes, depending upon the relation of the signature to the input documents: - ValidSignature_OnAllDocuments: the signature covers all of the input documents, just as they were passed in - ValidSignature_OnTransformedDocuments: the signature covers all of the input documents, but some of them have additional transforms that the client didn't pass in. - ValidSignature_NotAllDocuments: not all documents passed in by the client were covered by the signature - There's also a new failure code: - InappropriateSignature - the signature has the wrong semantics or policy - New <ReturnTimeStampTime> option for querying the time when verifying a TimeStampToken - The timestamp elements are moved into the core schema, instead of being in their own schema - since these things are all defined by the same document, a single schema makes sense, and the separate schemas needed to circularly include each other. - The <TstInfo>'s fields were changed from attributes to elements, since we wanted to add a TSA field, and this is a complex type so it needs to be an element. - The <XMLTimeStampToken> is of type ds:SignatureType. It contains a <ds:Reference> that refers to the enveloped <TstInfo>. This <ds:Reference> previously referred to the <TstInfo> by 'URI="#tstInfo"'. This requires the <TstInfo> to have an ID=tstInfo attribute, and if there were multiple timestamps within the same document, these would conflict. XML-DSIG allows a single <ds:Reference> within a signature to omit the URI attribute, and let its reference be determined by the application context. So I think we should use this to point to the <TstInfo>, implicitly. Nick's suggestions ------------------------------- - renamed <Outputs> to <OptionalOutputs> - moved <Timestamp> and <RequesterIdentity> into a single "Core Elements" section (5) - added editorial note #10 that the spec may be updated as we work on profiles Frederick's suggestions ----------------------------------- - namespace prefixes aren't normative (1.2) - a new version will use a different namespace (1.2) - new overview (1.3) - renamed <dss:Signature> to <dss:SignatureObject> (2.4) - changed ResultMajor/ResultMinor to be string and URI, respectively, instead of QNames (2.7) - new, more detailed "Basic Processing" (3.3) - made <KeySelector> extensible (3.4.4) - moved common optional inputs to section 2 (2.6) - removed <IgnoreMissingInputDocuments> (4.5) - changed <SigningTime> optional output, on verify, to have a "ThirdPartyTimestamp" attribute, instead of a "Trusted" attribute - fixed URNs in 6.1 - added some additional text, in a few places Not Done -------------- - move SignatureType out of optional inputs? - Frederick: "Indicate Manifest reference hash checking is not performed by default, and only is if option VerifyManifests is present (refer to 4.5.5)" Trevor: on further thought, shouldn't it be left to profiles to define whether this optional input is enabled by default? Juan Carlos' suggestions --------------------------------- - made MimeType attribute on Document/Base64Data optional - fixed <ds:SignedReference> to be minOccurs="1" maxOccurs="unbounded" - separated schema presentation of options/outputs - fixed a few typos - added some additional text, in several places Not Done ---------------- - Didn't change <ProcessingDetails>; discussions still ongoing - Didn't add a SignatureType URI for pkcs#7; Nick suggested only having a single URI for CMS/PKCS#7; unsure what to do here Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]