- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Mon, 15 Dec 2008 17:20:50 -0500
- To: ext Juan Carlos Cruellas <cruellas@ac.upc.edu>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
I have some received some additional feedback, and suggest we change the Timestamp to be a simple Expiration. The idea is that the signature may be shorter lived than the associated key/certificate. Regarding usage and author, I'd like to enable a widget signing use case where there may be multiple signatures associated with signed content, one from the developer (author) perhaps another by the distributor, so would like to use roles to differentiate. The intent of Usage is to associate with "widget signing", hence this may not be as extensive as a signature policy which may be yet another property. In this view perhaps the overlap with XAdeS is not so great? regards, Frederick Frederick Hirsch Nokia On Dec 12, 2008, at 11:48 AM, ext Juan Carlos Cruellas wrote: > > Dear Frederick, concerning the current status of the draft, I am > affraid > that I have some comments: > > 1. Concerning Usage property, the text says: "The developer also needs > to associate a usage URI with the signature to indicate processing > rules > and other information needed to process the signature properly (in > addition to required XML Signature processing rules)."...well, this is > roughly speaking what in other areas is understood as Signature > Policy, > and XAdES already has defined a structure for this....would not be > possible to make a reference to XAdES property instead defining a new > type for the same purpose? > > > 2. Concerning the timestamp element....my view is that this element > does > not add any security to the signature, I mean, it seems to be a pair > of two values generated by the signer (as there is nothing else > indicating that it has been created by a trusted TSA, like a RFC3161 > or > DSS time-stamp token)...so I think that the term timestamp is a bit > misleading....to me, from what you write, its semantics seems a kind > of > claimed validity period of the signature (claimed by the signer > herself, > and in consequence without any further endorsement by a Trusted > TSA)....and if so, I would propose precisely a change of name: > ClaimedTimeSpan or something similar....If I am correct with the > semantic, there is not anything like this in XAdES and would not have > any problem....but it should be made it clear that this is not a > declaration endorsed by any trusted third party.... > > So, very briefly: > > 1. I would propose to use the concept of signature policy and make > reference to xades:SignaturePolicyIdentifier (as it has additional > elements that may help the verifiers in their processing and also > cover > the same concept) > > 2. I would propose to change the name of the second element to > ClaimedTimeSpan, and make it clear that is a time indication > provided by > the signer. > > I hope this helps. > > Regards > > Juan Carlos. >
Received on Monday, 15 December 2008 22:21:40 UTC