oasis dss 1.0 profiles xades spec cd 01
DESCRIPTION
mmTRANSCRIPT
-
1
XAdES Profiles of the OASIS Digital 2 3
4
5
6 7
8 9
10 11
12 13 14 15
16 17 18 19 20 21
22 23 24 25 26 27 28 29
30
Signature Service Committee Draft, 24 December 2004 (Working Draft 06)
Document identifier: oasis-dss-1.0-profiles-XAdES-spec-cd-01
Location: http://docs.oasis-open.org/dss/
Editor: Juan Carlos Cruellas, individual
Contributors: Nick Pope, individual Ed Shallow, Universal Post Union Trevor Perrin, individual
Abstract: This draft defines one abstract profile of the OASIS DSS protocols for the purpose of creating and verifying XML or CMS based Advanced Electronic Signatures. It also defines two concrete sub-profiles: one for creating and verifying XML Advanced Electronic Signatures and the other for creating and verifying CMS based Advanced Electronic Signatures.
Status: This is a Committee Draft produced by the OASIS Digital Signature Service Technical Committee. Committee members should send comments on this draft to [email protected]. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Digital Signature Service TC web page at http://www.oasis-open.org/committees/dss/ipr.php.
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 1 of 31
http://docs.oasis-open.org/dss/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.oasis-open.org/committees/dss/ipr.php -
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 2 of 31
Table of Contents 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
1 Introduction ....................................................................................................................... 5 1.1 Notation .................................................................................................................... 5 1.2 Namespaces ............................................................................................................ 5
2 Overview ........................................................................................................................... 6 3 Advanced Electronic Signature abstract profile ................................................................ 7
3.1 Overview .................................................................................................................. 7 3.2 Profile Features ........................................................................................................ 8
3.2.1 Scope................................................................................................................... 8 3.2.2 Relationship To Other Profiles............................................................................. 8 3.2.3 Signature Object .................................................................................................. 8
3.3 Profile of Signing Protocol........................................................................................ 8 3.3.1 Element ...................................................................................... 9
3.3.1.1 Element .......................................................................................9 3.3.1.1.1 Element ..................................................................................9 3.3.1.1.2 Element ..................................................................................9 3.3.1.1.3 Optional inputs < ClaimedIdentity> / ...........................................9 3.3.1.1.4 Element .................................................................................9 3.3.1.1.5 Element ............................................................................ 10
3.3.1.1.5.1 Requesting SigningTime ........................................................................... 10 3.3.1.1.5.2 Requesting CommitmentTypeIndication.................................................... 10 3.3.1.1.5.3 Requesting SignatureProductionPlace ...................................................... 10 3.3.1.1.5.4 Requesting SignerRole.............................................................................. 10 3.3.1.1.5.5 Requesting ............................. 11 3.3.1.1.5.6 Requesting data objects format ............................................................... 11
3.3.2 Element ................................................................................. 12 3.3.2.1 Element .................................................................................................. 12 3.3.2.2 Element ................................................................................... 12 3.3.2.3 Element ..................................................................... 12
3.4 Profile of Verifying Protocol.................................................................................... 12 3.4.1 Element .................................................................................. 12
3.4.1.1 Attribute Profile ...................................................................................................... 13 3.4.1.2 Element ..................................................................................... 13
3.4.1.2.1 Element ................................................................ 13 4 Element ............................................................................................ 14
4.1.1.1 Element .................................................................................. 14 4.1.1.1.1 Element ........................................................................... 14
5 XML Advanced Electronic Signatures concrete Profile .................................................. 15 5.1 Overview ................................................................................................................ 15 5.2 Profile features ....................................................................................................... 15
5.2.1 Identifier ............................................................................................................. 15 5.2.2 Scope................................................................................................................. 15 5.2.3 Relationship To Other Profiles........................................................................... 16 5.2.4 Signature Object ................................................................................................ 16 5.2.5 Transport Binding............................................................................................... 16
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 3 of 31
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
5.2.6 Security Binding ................................................................................................. 16 5.3 Profile of Signing Protocol...................................................................................... 16
5.3.1 Element .................................................................................... 16 5.3.1.1 Attribute Profile ...................................................................................................... 16 5.3.1.2 Element ..................................................................................... 16
5.3.1.2.1 Element ................................................................................ 16 5.3.1.2.2 Element ................................................................................ 17 5.3.1.2.3 Optional inputs < ClaimedIdentity> / ......................................... 17 5.3.1.2.4 Element ............................................................................... 17 5.3.1.2.5 Element ............................................................................ 17
5.3.1.2.5.1 Requesting SigningTime ........................................................................... 17 5.3.1.2.5.2 Requesting CommitmentTypeIndication.................................................... 17 5.3.1.2.5.3 . Requesting SignatureProductionPlace .................................................... 17 5.3.1.2.5.4 Requesting SignerRole.............................................................................. 17 5.3.1.2.5.5 Requesting ............................. 17 5.3.1.2.5.6 Requesting data objects format ............................................................... 17
5.3.2 Element ................................................................................. 17 5.3.2.1 Element .................................................................................................. 17 5.3.2.2 Element ................................................................................... 18
5.4 Profile of Verifying Protocol.................................................................................... 18 5.4.1 Element .................................................................................. 18
5.4.1.1 Attribute Profile ...................................................................................................... 18 5.4.1.2 Element ..................................................................................... 18
5.4.1.2.1 Element ................................................................ 18 5.4.1.3 Element ................................................................................... 18
5.4.2 Element ............................................................................... 18 5.4.2.1 Attribute Profile ........................................................ Error! Bookmark not defined. 5.4.2.2 Element .................................................................................. 18
5.4.2.2.1 Element ........................................................................... 18 5.5 Profile Bindings ...................................................................................................... 18
5.5.1 Transport Bindings............................................................................................. 18 5.5.2 Security Bindings ............................................................................................... 19
5.5.2.1 Security Requirements .......................................................................................... 19 5.5.2.2 TLS X.509 Mutual Authentication .......................................................................... 19
6 CMS-based Advanced Electronic Signature profile........................................................ 20 6.1 Overview ................................................................................................................ 20 6.2 Profile features ....................................................................................................... 20
6.2.1 Identifier ............................................................................................................. 20 6.2.2 Scope................................................................................................................. 21 6.2.3 Relationship To Other Profiles........................................................................... 21 6.2.4 Signature Object ................................................................................................ 21 6.2.5 Transport Binding............................................................................................... 21 6.2.6 Security Binding ................................................................................................. 21
6.3 Profile of Signing Protocol...................................................................................... 21 6.3.1 Element .................................................................................... 21
6.3.1.1 Attribute Profile ...................................................................................................... 21 6.3.1.2 Element ..................................................................................... 21
6.3.1.2.1 Element ................................................................................ 21
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 4 of 31
123 124 125 126 127 128 129 130 131
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
6.3.1.2.2 Element ................................................................................ 22 6.3.1.2.3 Optional inputs < ClaimedIdentity> / ......................................... 22 6.3.1.2.4 Element ............................................................................... 22 6.3.1.2.5 Element ............................................................................ 22
6.3.1.2.5.1 Requesting SigningTime ........................................................................... 22 6.3.1.2.5.2 Requesting CommitmentTypeIndication.................................................... 22 6.3.1.2.5.3 . Requesting SignatureProductionPlace .................................................... 22 6.3.1.2.5.4 Requesting SignerRole.............................................................................. 22 6.3.1.2.5.5 Requesting data objects format ................................................................ 22
6.3.2 Element ................................................................................. 22 6.3.2.1 Attribute Profile ........................................................ Error! Bookmark not defined. 6.3.2.2 Element .................................................................................................. 23 6.3.2.3 Element ................................................................................... 23
6.4 Profile of Verifying Protocol.................................................................................... 23 6.4.1 Element .................................................................................. 23
6.4.1.1 Attribute Profile ...................................................................................................... 23 6.4.1.2 Element ..................................................................................... 23
6.4.1.2.1 Element ................................................................ 23 6.4.1.3 Element ................................................................................... 23
6.4.2 Element ............................................................................... 23 6.4.2.1 Attribute Profile ........................................................ Error! Bookmark not defined. 6.4.2.2 Element .................................................................................. 23
6.4.2.2.1 Element ........................................................................... 23 6.5 Profile Bindings ...................................................................................................... 23
6.5.1 Transport Bindings............................................................................................. 23 6.5.2 Security Bindings ............................................................................................... 23
6.5.2.1 Security Requirements .......................................................................................... 23 6.5.2.2 TLS X.509 Mutual Authentication .......................................................................... 24
7............................................................................................................................................... 25 8 Identifiers defined in this specification ............................................................................ 26
8.1 Predefined advanced electronic signature forms identifiers .................................. 26 9 Editorial Issues................................................................................................................ 27 10 References...................................................................................................................... 29
10.1 Normative ............................................................................................................... 29 Appendix A. Revision History .................................................................................................. 30 Appendix B. Notices ................................................................................................................ 31
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 5 of 31
1 Introduction 160 161 162 163 164 165 166 167
168
169 170 171 172 173 174
175 176
177
178 179 180 181
182
The DSS signing and verifying protocols are defined in [DSSCore]. As defined in that document, the DSS protocols have a fair degree of flexibility and extensibility. This document defines an abstract profile for the use of the DSS protocols for creating and verifying XML and binary Advanced Electronic Signatures as defined in [COMMENT: Bold these and other references:] [XAdES] and [TS 101 733]. This document also defines two concrete profiles derived from the abstract one: one for creating and verifying XAdES signatures and the other for creating and verifying signatures as defined in TS 101733.
1.1 Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC 2119]. These keywords are capitalized when used to unambiguously specify requirements over protocol features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
This specification uses the following typographical conventions in text: , Attribute, Datatype, OtherCode.
1.2 Namespaces The structures described in this specification are contained in the schema file [XAdES-ABS-XSD]. All schema listings in the current document are excerpts from the schema file. In the case of a disagreement between the schema file and this document, the schema file takes precedence.
This schema is associated with the following XML namespace: http://www.docs.oasis-open.org/dss/oasis-dss-1.0-profiles-XAdES-cd-01# 183
184
185
186
187
188 189
190 191 192
If a future version of this specification is needed, it will use a different namespace.
Conventional XML namespace prefixes are used in this document:
o The prefix dss: (or no prefix) stands for the DSS core namespace [Core-XSD].
o The prefix ds: stands for the W3C XML Signature namespace [XMLSig].
o The prefix xades: stands for ETSI XML Advanced Electronic Signatures (XAdES) document [XAdES].
Applications MAY use different namespace prefixes, and MAY use whatever namespace defaulting/scoping conventions they desire, as long as they are compliant with the Namespaces in XML specification [XML-ns].
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 6 of 31
2 Overview 193 194 195
196 197 198
199 200
201 202
203 204
This document defines three profiles of the protocols specified in: Digital Signature Services Core Protocol and Elements [DSSCore].
The first one is an abstract profile defining messages for supporting the lifecycle of advanced electronic signatures. Both, XML and binary advanced electronic signatures are supported by this profile.
One concrete profile, derived from the aforementioned abstract profile, gives support to the lifecycle of XML advanced electronic signatures as specified in [XAdES].
A second concrete profile, also derived from the abstract one, gives support to the lifecycle of binary advanced electronic signatures as specified in [TS 101733].
Implementations should implement one of the concrete profiles (or both) in order to request generation or validation of advanced electronic signatures in one of the two formats (or both).
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 7 of 31
3 Advanced Electronic Signature abstract 205 206
207
208 209
210
211
212 213 214
215
216
217 218
219 220 221 222
223 224 225 226
227
228 229
230 231 232
233 234 235 236
237
238
239
240 241
242 243 244
245 246
profile 3.1 Overview This abstract profile supports operations within each phase of the lifecycle of two types of advanced electronic signature:
XML encoded signatures based on [XMLSig] such as specified in [XAdES].
Binary encoded signatures based on [RFC 3161] such as specified in [TS 101733].
Henceforward, the document will use the term advanced signature when dealing with issues that affect to both types of signatures. The document will use XAdES or TS 101733 signatures when dealing with issues that affect one or the other but not both of them.
For the generation of advanced signatures, the following operations apply:
SignRequest. This operation supports requests for:
o Generating predefined advanced signature forms as defined in [XAdES] and [TS 101733].
o Generating XML signatures incorporating specific signed/unsigned properties whose combination does not fit any predefined XAdES signature form. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
o Generating CMS signatures incorporating specific signed/unsigned attributes whose combination does not fit any predefined [TS 101733] signature forms. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
SignResponse. This operation supports delivery of:
o Predefined advanced signature forms as defined in [XAdES] and [TS 101733].
o XML signatures with specific properties whose combination does not fit any predefined XAdES signature form. In such cases, the form MUST have been defined in some other specification and MUST be identified by one URI.
o CMS signatures incorporating specific signed attributes whose combination does not fit any predefined [TS 101733] signature form. In such cases, the form MUST have been defined in some other specification and MUST be identified by one URI.
For advanced signature verification (and updating) the following operations apply:
VerifyRequest. This operation supports requests for:
o Verifying a predefined advanced signature form.
o Verifying XML signatures incorporating specific properties whose combination does not fit any predefined XAdES signature form.
o Verifying any of the signatures mentioned above PLUS updating them by addition of additional properties (time-stamps, validation data, etc) leading to a predefined XAdES form.
o Verifying CMS signatures incorporating specific attributes whose combination does not fit any predefined [TS 101733] signature form.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 8 of 31
247 248 249
250
251
252
253 254
255
256
257
258
259
260
261 262
263
264 265
266 267 268
269
270
271 272
273 274
275
276 277 278 279
280 281
282 283
284 285
286
287
o Verifying any of the signatures mentioned above PLUS updating them by addition of additional attributes (time-stamps, validation data, etc) leading to a predefined [TS 101733] form.
o Verifying a long-term advanced signature in a certain point of time.
VerifyResponse. This operation supports delivery of:
o Advanced signature verification result of signatures mentioned above.
o Advanced signature verification result PLUS the updated signatures as requested.
o Updated signatures as requested.
The material for each operation will clearly indicate the lifecycle phase it pertains to.
3.2 Profile Features
3.2.1 Scope This document profiles the DSS signing and verifying protocols defined in [DSSCore].
3.2.2 Relationship To Other Profiles
The profile in this document is based on the [DSSCore]. The profile in this document is not directly implementable, and may be further profiled.
3.2.3 Signature Object This profile supports the creation and verification of advanced signatures as defined in [XAdES] and [TS 101733].
This profile also supports update of advanced signatures by addition of unsigned properties (time-stamps and different types of validation data), as specified in [XAdES] and [TS 101733].
3.3 Profile of Signing Protocol The present profile allows requesting:
Predefined forms of advanced electronic signatures as defined in [XAdES] and [TS 101733].
Other forms of signatures based in [XMLSig] or [RFC 3369] defined in other specifications,
In both cases, the specific requested form will be identified by an URI.
According to this profile, the following predefined advanced signature forms defined in [XAdES] and [TS 101733] MAY be requested (those forms whose name begin by XAdES- are forms names for XAdES signatures; the other ones denote forms for TS 101733 signatures):
BES and XAdES-BES. In this form, the signing certificate is secured by the signature itself.
EPES and XAdES-EPES. This form incorporates an explicit identifier of the signature policy that will govern the signature generation and verification.
ES-T and XAdES-T. This form incorporates a trusted time, by means of a time-stamp token or a time-mark.
ES-C and XAdES-C.
ES-X and XAdES-X.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 9 of 31
288
289
290 291 292 293
294 295
296
297
298 299
300
301
302
303
304
305
306 307
308
309
ES-X-L and XAdES-X-L.
ES-A and XAdES-A.
In addition, the present profile provides means for requesting incorporation in any of the aforementioned forms any of the following properties: SigningTime, CommitmentTypeIndication, SignatureProductionPlace, SignerRole, IndividualDataObjectTimeStamp, AllDataObjectTimeStamp and DataObjectFormat.
Other electronic signature forms based in [XMLSig] or [RFC 3369], defined elsewhere, MAY also be requested using the mechanisms defined in this profile.
3.3.1 Element
3.3.1.1 Element
None of the optional inputs specified in the [DSS Core] are precluded in this abstract profile. It only constrains some of them and specifies additional optional inputs.
3.3.1.1.1 Element This element is OPTIONAL. If present, SHALL be either:
urn:ietf:rfc:3275
for requesting XML Signatures, or
urn:-ietf:rfc:3369
for requesting CMS Signatures, as defined in 7.1 of [DSS Core].
If not present the signature type SHALL be implied by the selected or the signature policy applied by the server.
3.3.1.1.2 Element The form of signature required MAY be indicated using the following optional input 310
311 312
313 314
315 316 317
318 319
320
321 322
323 324 325
326
327 328
If not present the signature form SHALL be implied by the selected or the signature policy applied by the server.
Section 8.1 of this abstract profile defines a set of URIs identifying the predefined advanced electronic signature forms specified in [TS101733] and [XAdES].
Should other standard or proprietary specification define new signature forms and their corresponding URIs, concrete sub-profiles of this abstract profile could be defined for giving support to their verification and update.
Should a form identified by an URI, admit different properties combinations, the server will produce a specific combination depending on its policy or configuration settings.
3.3.1.1.3 Optional inputs < ClaimedIdentity> / As forms defined in [XAdES] and [TS 101733] require that the signing certificate is protected by the signature, the server MUST gain access to that certificate.
or optional inputs MAY be present. If they are not present, the server may use means not specified in this profile to identify the signers key and gain access to its certificate.
3.3.1.1.4 Element This element MAY be used by the client to request the inclusion in the advanced signature of a time-stamp on all the data that are to be signed.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 10 of 31
329
330
331 332
333
334 335 336
337 338 339
340
341
342
343
344
345
346 347
348 349 350
This profile defines the following value for its Type attribute.
urn:oasis:names:tc:dss:1.0:profiles:XAdES:AllDataObjectTimeStamp
Note: IndividualDataObjectsTimeStamp is requested using element as defined in section 3.3.1.1.5.5.
3.3.1.1.5 Element The requester MAY request to the server the addition of optional signed properties using the elements child profiled as indicated in clauses below.
Signed properties that MAY be requested are: SigningTime, CommitmentTypeIndication, SignerRole, SignatureProductionPlace, DataObjectFormat, and IndividualDataObjectsTimeStamp.
3.3.1.1.5.1 Requesting SigningTime Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:SigningTime
No content is required for Value element, since it will be generated by the server.
3.3.1.1.5.2 Requesting CommitmentTypeIndication Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:CommitmentTypeIndication
When the value of the commitment is fixed by the requester, this property will have a value that the server will incorporate to the advanced signature. In such cases the element MUST have the following content: 351 352 353 354 355 356 357 358
359 360
361 362 363
364
365
366
367
368
369
370
Element will be present when requesting a XML signature.
Element will be present when requesting a ASN.1 signature. Its contents MUST be the base64 encoding of CommitmentTypeIndication ASN.1 type defined in [TS 101733], DER-encoded.
3.3.1.1.5.3 Requesting SignatureProductionPlace Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:SignatureProductionPlace
No content is required for element, as it will be generated by the server.
3.3.1.1.5.4 Requesting SignerRole Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:SignerRole
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 11 of 31
371 372 373
When the value of the role is fixed by the requester, this property will have a value that the server will incorporate to the advanced signature. In such cases the element MUST have the following content: 374 375 376 377 378 379 380 381
Element will be present when requesting a XML signature. 382
383 384 385
386
387 388
389
390 391
392 393
Element will be present when requesting a ASN.1 signature. Its contents MUST be the base64 encoding of SignerAttribute ASN.1 type defined in [TS 101733], DER-encoded.
3.3.1.1.5.5 Requesting This property is only incorporated in XAdES signatures, not in TS101733 signatures, because an XML signature is able to sign several documents.
Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:IndividualDataObjectTimeStamp
In this case, the content of element will be the element , defined as shown below. 394 395 396 397 399 400 401 402 403 405 406 407
408 409
410 411 412 413 414 415
416 417 418 419
420
421 422
WhichDocument attribute contains the reference to the document whose time-stamp is requested (see attribute ID in [CoreDSS] section 2.4.1).
[XAdES] mandates that elements corresponding to signed documents that have been individually time-stamped before being signed, must include an Id attribute. [XAdES] also mandates element to use this Id attribute to indicate what signed documents have actually been time-stamped before signing. See [XAdES] and definitions for more details.
The client MAY request a value for the elements Id attribute using the RefId optional attribute if a forcing a value for such an attribute is not present in the request. If the request does not specify a value for this attribute, then the server will automatically generate it.
3.3.1.1.5.6 Requesting data objects format Both [XAdES] and [TS101733] specify signed properties containing information on the format of the signed documents.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 12 of 31
423
424
425 426 427
Value for Identifier element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:DataObjectFormat
When the value of the data object formats are fixed by the requester, this property will have a value that the server will incorporate to the advanced signature. The content of element will be the element , defined as shown below. 428 429 430 431 432 433 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449
450
451 452 453
454
455
456
457
458
459
460 461
462 463
464
465
466
467
468
Element will be present when requesting a XML signature.
Element will be present when requesting a ASN.1 signature. Its contents MUST be the base64 encoding of ContentHints ASN.1 type defined in [RFC 2634] DER-encoded.
3.3.2 Element This clause profiles the dss:SignResponse element for the requests profiled in clause 3.3.1
3.3.2.1 Element This profile does not apply any restriction to the dss:Result element.
3.3.2.2 Element The following restrictions apply to the contents of dss:SignatureObject:
When the generation of a CMS based signature is requested, the base-64 encoded signature MUST be present in the dss:Base64Signature element.
When the generation of an enveloping or detached XMLSig based signature is requested, this element will contain a ds:Signature element.
3.3.2.3 Element This element will only appear if an enveloped XML signature is requested.
3.4 Profile of Verifying Protocol
3.4.1 Element This clause specifies the profile for the contents of the dss:VerifyRequest when used for:
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 13 of 31
469
470 471
472
473 474
475
476 477
478 479 480
481
482 483
484
485 486 487
488 489 490
491 492
Requesting verification of advanced signatures.
Requesting verification of advanced signatures AND update of signatures to other predefined forms.
3.4.1.1 Attribute Profile The value for the Profile attribute, indicating the concrete sub-profile of this abstract profile, MUST be present.
3.4.1.2 Element This profile specifies restrictions for the following possible children of dss:OptionalInputs element:
. This element SHALL be present when the client requests verification of a signature and update to other predefined form of advanced signature.
3.4.1.2.1 Element This element MUST be present when the client requests verification of a signature and update to a predefined form of advanced signature.
The Type attribute identifies the advanced signature form requested.
Acceptable predefined values for this attribute are the URIs specified in table 1 corresponding to the following forms predefined in [TS101733] and [XAdES]: XAdES-T/ES-T, XAdES-C/ES-C, XAdES-X/ES-X,XAdES-X-L,ES-X-L, XAdES-A, ES-A.
Should other standard or proprietary specification define new signature forms and their corresponding URIs, concrete sub-profiles of this abstract profile could be defined for giving support to their verification and update.
When the requested form allows for different contents, the server MUST decide the specific contents of the updated signature delivered, according to its configuration and settings.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 14 of 31
4 Element 493 494
495
496 497
498
499
500 501
502 503
504 505
506
507 508
4.1.1.1 Element This profile specifies restrictions for the following optional outputs:
. This element MUST be present in a successful response of a request containing .
No additional restrictions are applied by this profile to the contents of any additional outputs.
4.1.1.1.1 Element The content of the dss:UpdatedSignature will be a dss:SignatureObject element profiled according to the following rules:
When the update of a CMS based signature is requested, the base-64 encoded signature itself MUST be present in the dss:Base64Signature element.
When the update of a XMLSig based signature is requested, one of the following elements MUST appear:
The ds:Signature containing a XMLSig based signature.
The dss:SignaturePtr pointing to the XMLSig based signature embedded in one of the input documents.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 15 of 31
5 XML Advanced Electronic Signatures 509 510
511
512 513 514 515
516
517
518
519 520 521 522
523
524
525 526 527
528
529
530
531 532
533 534 535
536
537
538
539 540
541
542
543
544
545
546
concrete Profile 5.1 Overview This concrete profile supports operations within each phase of the lifecycle of XML Advanced Electronic Signature based on [XMLSig] such as specified in [XAdES]. It will then provide all the features related to XAdES signatures that are specified in the abstract profile defined in section 3.
For the generation of XAdES signatures, the following operations apply:
SignRequest. This operation supports requests for:
o Generating predefined advanced signature forms as defined in [XAdES].
o Generating XML signatures incorporating specific signed/unsigned properties whose combination does not fit any predefined XAdES signature form. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
o SignResponse. This operation supports delivery of:
o Predefined advanced signature forms as defined in [XAdES].
o XML signatures with specific properties whose combination does not fit any predefined XAdES signature form. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
For verification [and updating] of XAdES signatures the following operations apply:
VerifyRequest. This operation supports requests for:
o Verifying a predefined XAdES signature form.
o Verifying XML signatures incorporating specific properties whose combination does not fit any predefined XAdES signature form.
o Verifying any of the signatures mentioned above PLUS updating them by addition of additional properties (time-stamps, validation data, etc) leading to a predefined XAdES form.
o Verifying a long-term advanced signature in a certain point of time.
VerifyResponse. This operation supports delivery of:
o Advanced signature verification result of signatures mentioned above.
o Advanced signature verification result PLUS the updated signatures as requested.
o Updated signatures as requested.
5.2 Profile features
5.2.1 Identifier urn:oasis:names:tc:dss:1.0:profiles:XAdES.
5.2.2 Scope This document profiles the DSS abstract profile defined in section 3 of the present document.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 16 of 31
547
548 549
550
551 552
553 554 555
556
557
558
559
560
561
562
563
564
565 566 567
568 569 570 571
572 573
574
575
576
577
578 579
580
581
582
5.2.3 Relationship To Other Profiles
The profile in this section is based on the abstract profile for Advanced Electronic Signatures defined in section 3.
5.2.4 Signature Object This profile supports the creation and verification of XML advanced signatures as defined in [XAdES]].
This profile also supports verification and update of advanced signatures by addition of unsigned properties (time-stamps and different types of validation data), as specified in [XAdES]
5.2.5 Transport Binding This profile does not specify or constrain the transport binding.
5.2.6 Security Binding This profile does not specify or constrain the security binding.
5.3 Profile of Signing Protocol The present profile allows requesting:
Predefined forms of advanced electronic signatures as defined in [XAdES].
Other forms of signatures based in [XMLSig] defined in other specifications,
In both cases, the specific requested form will be identified by an URI.
According to this profile, the following predefined advanced signature forms defined in [XAdES] MAY be requested: XAdES-BES, XAdES-EPES, XAdES-T, XAdES-C, XAdES-X, XAdES-X-L., and XAdES-A.
In addition, the present profile provides means for requesting incorporation in any of the aforementioned forms any of the following properties: SigningTime, CommitmentTypeIndication, SignatureProductionPlace, SignerRole, IndividualDataObjectTimeStamp, AllDataObjectTimeStamp and DataObjectFormat.
Other electronic signature forms based in [XMLSig] defined elsewhere MAY also be requested using the mechanisms defined in this profile.
5.3.1 Element
5.3.1.1 Attribute Profile urn:oasis:names:tc:dss:1.0:profiles:XAdES.
5.3.1.2 Element
None of the optional inputs specified in the [DSS Core] are precluded in this abstract profile. It only constrains some of them and specifies additional optional inputs.
5.3.1.2.1 Element This element is MANDATORY. Its vaule MUST be:
urn: ietf:rfc:3275
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 17 of 31
583
584
585
586
587
588
589
590
591
592
593
594
595 596 597
598
599
600
601
602
603 604 605
606
607
608
609
610
611 612 613
614
615 616
617
618
5.3.1.2.2 Element Usage of these elements is according to what is stated in section 3.3.1.1.2 .
5.3.1.2.3 Optional inputs < ClaimedIdentity> / Usage of these elements is according to what is stated in section 3.3.1.1.3.
5.3.1.2.4 Element Usage of these elements is according to what is stated in section 3.3.1.1.4.
5.3.1.2.5 Element
5.3.1.2.5.1 Requesting SigningTime Usage of these elements is according to what is stated in section 3.3.1.1.5.1.
5.3.1.2.5.2 Requesting CommitmentTypeIndication The value for element is the one defined in section 3.3.1.1.5.2:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:CommitmentTypeIndication
When the value of the commitment is established by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.2 with the child.
5.3.1.2.5.3 . Requesting SignatureProductionPlace Usage of these elements is according to what is stated in section 3.3.1.1.5.3
5.3.1.2.5.4 Requesting SignerRole Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:SignerRole
When the value of the role is fixed by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.4 with the child.
5.3.1.2.5.5 Requesting Usage of these elements is according to what is stated in section 3.3.1.1.5.5.
5.3.1.2.5.6 Requesting data objects format Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:DataObjectFormat
When the value of the data object formats are fixed by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.6 with the child.
5.3.2 Element This section profiles the dss:SignResponse element for the requests profiled in clause 5.3.1.
5.3.2.1 Element This profile does not apply any restriction to the dss:Result element.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 18 of 31
619
620
621
622 623 624 625
626
627
628
629
630
631
632
633
634
635
636 637
638
639
640
641
642 643
644
645 646
647
648
649 650
5.3.2.2 Element The content of this element MUST be one of the following:
A ds:Signature element containing a XMLSig based signature.
A dss:SignaturePtr pointing to the XMLSig based signature embedded in one of the output documents. In such a case, the optional output element, containing the signature created, MUST be present within the dss:DocumentWithSignature element
5.4 Profile of Verifying Protocol
5.4.1 Element
5.4.1.1 Attribute Profile urn:oasis:names:tc:dss:1.0:profiles:XAdES.
5.4.1.2 Element
5.4.1.2.1 Element Usage of these elements is according to what is stated in section 3.4.1.2.1.
5.4.1.3 Element The dss:SignatureObject element will have one of the following contents:
A ds:Signature containing a XMLSig based signature.
A dss:SignaturePtr pointing to the XMLSig based signature embedded in one of the inputdocuments.
5.4.2 Element
5.4.2.1 Element Usage of these elements is according to what is stated in section 4.1.1.1.
5.4.2.1.1 Element The content of the dss:UpdatedSignature will be a dss:SignatureObject element with one of the following contents:
A ds:Signature containing a XMLSig based signature.
A dss:SignaturePtr pointing to the XMLSig based signature embedded in one of the inputdocuments.
5.5 Profile Bindings
5.5.1 Transport Bindings Messages transported in this profile MAY be transported by the HTTP POST Transport Binding and the SOAP 1.2 Transport Binding defined in [DSSCore].
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 19 of 31
651
652
653
654
655
656 657
658
659
660
661 662
663
5.5.2 Security Bindings
5.5.2.1 Security Requirements This profile MUST use security bindings that:
Authenticates the requester to the DSS server
Authenticates the DSS server to the DSS client
Protects the integrity or a request, response and the association of response to the request.
Optionally, protects the confidentiality of a request and response.
The following MAY be used to meet these requirements.
5.5.2.2 TLS X.509 Mutual Authentication This profile is secured using the TLS X.509 Mutual Authentication Binding defined in [DSSCore].
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 20 of 31
6 CMS-based Advanced Electronic Signature 664 665
666
667 668 669 670
671
672
673
674 675 676 677
678
679
680 681 682 683
684 685
686
687
688 689
690 691 692
693
694
695
696 697
698
699
700
701
profile 6.1 Overview This concrete profile supports operations within each phase of the lifecycle of CMS based Advanced Electronic Signature based on [RFC 3369] such as specified in [TS 101733]. It will then provide all the features related to TS 101733 signatures that are specified in the abstract profile defined in section 3.
For the generation of TS101733 signatures, the following operations apply:
SignRequest. This operation supports requests for:
o Generating predefined advanced signature forms as defined in [TS101733].
o Generating CMS signatures incorporating specific signed/unsigned attributes whose combination does not fit any predefined [TS 101733] signature forms. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
o SignResponse. This operation supports delivery of:
o Predefined advanced signature forms as defined in [TS101733].
o CMS signatures incorporating specific signed attributes whose combination does not fit any predefined [TS 101733] signature form. In such cases, the form MUST have been defined in a proprietary specification and MUST be identified by one URI.
For verification [and updating] of signatures as specified in [TS 101733] the following operations apply:
VerifyRequest. This operation supports requests for:
o Verifying a predefined [TS 101733] signature form.
o Verifying CMS signatures incorporating specific attributes whose combination does not fit any predefined [TS 101733] signature form.
o Verifying any of the signatures mentioned above PLUS updating them by addition of additional attributes (time-stamps, validation data, etc) leading to a predefined [TS 101733] form.
o Verifying a long-term advanced signature in a certain point of time.
VerifyResponse. This operation supports delivery of:
o Advanced signature verification result of signatures mentioned above.
o Advanced signature verification result PLUS the updated signatures as requested.
o Updated signatures as requested.
6.2 Profile features
6.2.1 Identifier urn:oasis:names:tc:dss:1.0:profiles:CAdES.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 21 of 31
702
703
704
705 706
707
708 709
710 711 712
713
714
715
716
717
718
719
720
721
722 723
724 725 726 727
728 729
730
731
732
733
734 735
736
737
738
6.2.2 Scope This document profiles the DSS abstract profile defined in section 3 of the present document.
6.2.3 Relationship To Other Profiles
The profile in this document is based on the abstract profile for Advanced Electronic Signatures defined in section 3.
6.2.4 Signature Object This profile supports the creation and verification of CMS based advanced signatures as defined in [TS101733]].
This profile also supports verification and update of advanced signatures by addition of unsigned properties (time-stamps and different types of validation data), as specified in [TS101733]
6.2.5 Transport Binding This profile does not specify or constrain the transport binding.
6.2.6 Security Binding This profile does not specify or constrain the security binding.
6.3 Profile of Signing Protocol The present profile allows requesting:
Predefined forms of advanced electronic signatures as defined in [TS 101733].
Other forms of signatures based in [RFC 3369] defined in other specifications,
In both cases, the specific requested form will be identified by an URI.
According to this profile, the following predefined advanced signature forms defined in [TS 101733] MAY be requested: BES, EPES, ES-T, ES-C, ES-X, ES-X-L, and ES-A
In addition, the present profile provides means for requesting incorporation in any of the aforementioned forms any of the following properties: SigningTime, CommitmentTypeIndication, SignatureProductionPlace, SignerRole, IndividualDataObjectTimeStamp, AllDataObjectTimeStamp and DataObjectFormat.
Other electronic signature forms based in [RFC 3369], defined elsewhere, MAY also be requested using the mechanisms defined in this profile.
6.3.1 Element
6.3.1.1 Attribute Profile urn:oasis:names:tc:dss:1.0:profiles:CAdES.
6.3.1.2 Element
None of the optional inputs specified in the [DSS Core] are precluded in this abstract profile. It only constrains some of them and specifies additional optional inputs.
6.3.1.2.1 Element This element is MANDATORY. Its vaule MUST be:
urn: ietf:rfc:3369
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 22 of 31
739
740
741
742
743
744
745
746
747
748
749
750
751
752 753 754 755
756
757
758
759
760
761 762 763 764
765
766
767
768 769 770 771
772
773 774
6.3.1.2.2 Element Usage of these elements is according to what is stated in section 3.3.1.1.2 .
6.3.1.2.3 Optional inputs < ClaimedIdentity> / Usage of these elements is according to what is stated in section 3.3.1.1.3.
6.3.1.2.4 Element Usage of these elements is according to what is stated in section 3.3.1.1.4.
6.3.1.2.5 Element This section profiles section 3.3.1.1.5.
6.3.1.2.5.1 Requesting SigningTime Usage of these elements is according to what is stated in section 3.3.1.1.5.1.
6.3.1.2.5.2 Requesting CommitmentTypeIndication The value for element is the one defined in section 3.3.1.1.5.2:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:CommitmentTypeIndication
When the value of the commitment is established by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.2 with the child containing the base64encoding of CommitmentTypeIndication ASN.1 type as specified in [TS101733], DER-encoded.
6.3.1.2.5.3 . Requesting SignatureProductionPlace Usage of these elements is according to what is stated in section 3.3.1.1.5.3
6.3.1.2.5.4 Requesting SignerRole Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:SignerRole
When the value of the role is fixed by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.4 with the child containing the base64encoding of SignerAttribute ASN.1 type as specified in [TS101733], DER-encoded.
6.3.1.2.5.5 Requesting data objects format Value for element:
urn:oasis:names:tc:dss:1.0:profiles:XAdES:DataObjectFormat
When the value of the data object formats are fixed by the requester, the element MUST contain a element as defined in section 3.3.1.1.5.6 with the child containing the base64encoding of ContentHints ASN.1 type as specified in [TS101733], DER-encoded.
6.3.2 Element This section profiles the dss:SignResponse element for the requests profiled in clause 5.3.1.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 23 of 31
775
776
777
778 779
780
781
782
783
784
785
786
787
788 789
790
791
792
793
794 795
796
797
798
799 800
801
802
803
804
805
806 807
6.3.2.1 Element This profile does not apply any restriction to the dss:Result element.
6.3.2.2 Element The dss:SignatureObject MUST contain the dss:Base64Signature child with a CMS based signature base-64 encoded.
6.4 Profile of Verifying Protocol
6.4.1 Element
6.4.1.1 Attribute Profile urn:oasis:names:tc:dss:1.0:profiles:CAdES.
6.4.1.2 Element
6.4.1.2.1 Element Usage of these elements is according to what is stated in section 3.4.1.2.1.
6.4.1.3 Element The dss:SignatureObject element MUST contain the dss:Base64Signature child with a CMS based signature base64 encoded.
6.4.2 Element
6.4.2.1 Element Usage of these elements is according to what is stated in section 4.1.1.1.
6.4.2.1.1 Element The content of the dss:UpdatedSignature will be a dss:SignatureObject element with one of the following contents:
A dss:Base64Signature element with the CMS based signature base64 encoded.
6.5 Profile Bindings
6.5.1 Transport Bindings Messages transported in this profile MAY be transported by the HTTP POST Transport Binding and the SOAP 1.2 Transport Binding defined in [DSSCore].
6.5.2 Security Bindings
6.5.2.1 Security Requirements This profile MUST use security bindings that:
Authenticates the requester to the DSS server
Authenticates the DSS server to the DSS client
Protects the integrity or a request, response and the association of response to the request.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 24 of 31
808
809
810
811 812
813
Optionally, protects the confidentiality of a request and response.
The following MAY be used to meet these requirements.
6.5.2.2 TLS X.509 Mutual Authentication This profile is secured using the TLS X.509 Mutual Authentication Binding defined in [DSSCore].
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 25 of 31
7 814
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 26 of 31
8 Identifiers defined in this specification 815 816 817
818
819
8.1 Predefined advanced electronic signature forms identifiers
The table below shows the URIs for standard forms of advanced electronic signature:
Advanced signature
FORM
URI
XAdES-BES
BES
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:BES
XAdES-EPES
EPES
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:EPES
XAdES-T
ES-T
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:ES-T
XAdES-C
ES-C
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:ES-C
XAdES-X
ES-X
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:ES-X
XAdES-X-L
ES-X-L
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:ES-X-L
XAdES-A
ES-X-A
urn:oasis:names:tc:dss:1.0:profiles:XAdES:forms:ES-A
Table 1. 820
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 27 of 31
9 Editorial Issues 821 822 823 824 825 826
827 828
829
830 831 832 833
834
835
836 837 838 839 840 841 842
843
844
845 846 847
848
849 850 851 852 853 854 855 856
857
858
859 860
861 862 863 864 865 866
867
1. The current text only allows request of signature forms identified by an URI defined somewhere. There are in [XAdES] and in [TS 101733] certain forms that allow different combination of properties. If we leave the standard as it is now, we are leaving the server to decide which combination of properties to select or we assume that any combination of properties in each form will have its unique identifier.
Report: Comments received in favor of leave the text as it is. Forms requested by URI. If possible different combinations of properties, the server decides
Satus: CLOSED if no objections.
2. Should not this abstract profile also allow requesting the updating of the signature by enumeration of the properties desired?. In this way, this profile would allow both mechanisms to update signatures: by identifying the form or by identifying the set of unsigned properties.
Report: Comments received in favor of leave the text as it is
Satus: CLOSED if no objections.
3. Section 3.3.1.1.3. A proposal has been made to associate the presence in the request of to the production of a signature where the signers certificate is protected by property, and if instead, is present then the signature will contain a signed with a element. I would prefer not linking the information required by the server to gain access to the signers certificate with the mechanism selected in the signature for protecting this certificate.
Report: Comments received in favor of leave the text as it is
Satus: CLOSED if no objections.
4. Section 3.3.1.1.4. Proposal for suppress any mention to time-marking and capabilities for the protocol to differentiate, when requesting ES-T or XAdES-T a time-stamp or a time-mark.
Satus: CLOSED. Leave as it is now.
5. Sections 3.3.1.1.5.2, 3.3.1.1.5.3, 3.3.1.1.5.4, and 3.3.1.1.5.6. In the former version the values of the signed properties passed to the server was left open. A proposal was made to force them to be elements whose types would be those defined in [XAdES]. The current version allows them to be elements of types defined in [XAdES] when requesting XML Sig based signatures OR containing the base 64 encoded value of the corresponding property defined in [TS 101733], DER-encoded, since both kind of signatures may be requested to the server.
Report: Comments received accepting changes.
Satus: CLOSED.
6. Section 3.3.1.1.5.5. A proposal was made to use for supporting request of individualDataObjectsTimeStamp property.
does contain much more information than the required for pointing to the data object to be time-stamped before signing and give indication of the Id attribute that its corresponding must have. In fact the element has quite a lot of commonality with , except the . But as there is not a type definition, a new schema definition must be generated.
Report: Comments received accepting changes.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 28 of 31
868
869 870 871 872 873 874
875
876
877 878
879 880 881 882
883 884
885
886 887 888 889 890
891
892
893 894 895 896 897
898
899 900 901 902
903
904
Satus: CLOSED.
7. Previous version explicitly mentioned that this profile would allow for requesting verification of signatures in one specific time. As this is something covered by the core, this mention has been suppressed. Comments have been raised relating this time with the time appearing in . From my point of view one thing is the time that the signer claims to have signed and a different issue is the time when the verifier verifies the signature.
Report: Comments received accepting changes.
Satus: CLOSED.
8. A new element has been defined as optional input to allow requesting the server update of a signature without verification.
Report: Comments pointing out the weakness that this element could bring in future as it would mean that some servers could update signatures without verifying them, and this would bring other ways to ascertain that a updated signature had actually been verified.
Decision: to suppress this feature. The corresponding section has been eliminated from this version.
Status: CLOSED.
9. Requesting CounterSignature is not explicitly mentioned here. I think that it would always be possible to use the core to get a copy of element from the and send it to the server using core protocol. Does anyone see any reason for including a new optional input?
Report: Comments received suggesting not go into this issue.
Satus: CLOSED until further consideration.
10. The comment has been made that in order to identify the signers key and gain access to the signers certificate, there may be mechanisms out of the dss-core, so that it does not make sense to make mandatory to use or in section 3.3.1.1.3. I agree with that comment. Text has been accordingly modified.
Satus: CLOSED.
11. Section 3.3.1.1.5.5. A comment has been made to suppress optional RefId attribute and leave the server decide. So far I have kept it, as I still think that it is worth to give the client the opportunity to request it. In addition I have added text clarifying the relationship with RefId attribute in .
Report: Comments received accepting text as it is.
Satus: CLOSED.
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 29 of 31
10 References 905 906
907
908 909
910 911
912
913
914 915
916 917
918
919 920
921
922
923
924
10.1 Normative [Core-XSD] T. Perrin et al. DSS Schema. OASIS, (MONTH/YEAR TBD)
[DSSCore] T. Perrin et al. Digital Signature Service Core Protocols and Elements. OASIS, (MONTH/YEAR TBD)
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2396, August 1998.
http://www.ietf.org/rfc/rfc2396.txt.
[TS 101733] Advanced Electronic Signatures. ETSI TS 101 733.
[XAdES] XML Advanced Electronic Signatures. ETSI TS 101 903, February 2002 (shortly to be reissued).
[XML-ns] T. Bray, D. Hollander, A. Layman. Namespaces in XML. W3C Recommendation, January 1999.
http://www.w3.org/TR/1999/REC-xml-names-19990114
[XMLSig] D. Eastlake et al. XML-Signature Syntax and Processing. W3C Recommendation, February 2002.
http://www.w3.org/TR/1999/REC-xml-names-19990114
[RFC 2634] P. Hoffman (ed.). Enhanced Security Services for S/MIME, June 1999.
[RFC 3369] Message Syntax (CMS). R. Housley. August 2002.
http://www.ietf.org/rfc/rfc2396.txthttp://www.w3.org/TR/1999/REC-xml-names-19990114/http://www.w3.org/TR/1999/REC-xml-names-19990114 -
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 30 of 31
Appendix A. Revision History 925
Rev Date By Whom What
wd-01 2004-03-08 Juan Carlos Cruellas Initial, incomplete version: SignRequest for predefined forms + optional properties.
wd-02 2004-03-08 Juan Carlos Cruellas Second version of the initial version: it incorporates SignRequest-SignResponse and VerifyRequest-VerifyResponse.
No capability for requesting individually any property. This is still an on-going discussion.
wd-03 2004-06-18 Juan Carlos Cruellas Third version. Quite a lot of editorial work done.
No capability for requesting individually any property. This is still an on-going discussion.
wd-04 2004-08-09 Juan Carlos Cruellas Fourth version:
Suppressed element.
So far: signature forms identified by URI. Not possibility of requesting properties by enumeration.
Solved most of editorial issues.
Small editorial changes.
wd-05 2004-10-08 Juan Carlos Cruellas Fifth version:
Addition of two concrete sub-profiles: one for XAdES and the other for TS 101733
wd-06 2004-11-09 Juan Carlos Cruellas Sixth version:
Addition of bindings for concrete profiles.
Additional changes from comments raised before voting as a CD
-
oasis-dss-1.0- profiles-XAdES-spec-cd-01 24 December, 2004
Copyright OASIS Open 2004. All Rights Reserved. Page 31 of 31
Appendix B. Notices 926 927 928 929 930 931 932 933 934 935
936 937 938
939
940 941 942 943 944 945 946 947 948
949 950
951 952 953 954 955
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.
OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.
Copyright OASIS Open 2003. All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an AS IS basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
IntroductionNotationNamespacesOverviewAdvanced Electronic Signature abstract profileOverviewProfile FeaturesScopeRelationship To Other ProfilesSignature ObjectProfile of Signing ProtocolElement Element Element Element Optional inputs < ClaimedIdentity> / Element Element Requesting SigningTimeRequesting CommitmentTypeIndicationRequesting SignatureProductionPlaceRequesting SignerRoleRequesting Requesting data objects formatElement Element Element Element Profile of Verifying ProtocolElement Attribute ProfileElement Element Element Element Element XML Advanced Electronic Signatures concrete ProfileOverviewProfile featuresIdentifierScopeRelationship To Other ProfilesSignature ObjectTransport BindingSecurity BindingProfile of Signing ProtocolElement Attribute ProfileElement Element Element Optional inputs < ClaimedIdentity> / Element Element Requesting SigningTimeRequesting CommitmentTypeIndication. Requesting SignatureProductionPlaceRequesting SignerRoleRequesting Requesting data objects formatElement Element Element Profile of Verifying ProtocolElement Attribute ProfileElement Element Element Element Element Element Profile BindingsTransport BindingsSecurity BindingsSecurity RequirementsTLS X.509 Mutual AuthenticationCMS-based Advanced Electronic Signature profileOverviewProfile featuresIdentifierScopeRelationship To Other ProfilesSignature ObjectTransport BindingSecurity BindingProfile of Signing ProtocolElement Attribute ProfileElement Element Element Optional inputs < ClaimedIdentity> / Element Element Requesting SigningTimeRequesting CommitmentTypeIndication. Requesting SignatureProductionPlaceRequesting SignerRoleRequesting data objects formatElement Element Element Profile of Verifying ProtocolElement Attribute ProfileElement Element Element Element Element Element Profile BindingsTransport BindingsSecurity BindingsSecurity RequirementsTLS X.509 Mutual AuthenticationIdentifiers defined in this specificationPredefined advanced electronic signature forms identifiersEditorial IssuesReferencesNormative