Hi David,
thanks for sending such a comprehensive proposal :)
I will try to have a look at that later today or tomorrow.
Just wanted to say that your contributions the last days to this topic
have been very valuable.
Best,
Malte.
David LeBlanc wrote, On 05/07/10 23:37:
> I have been attempting to avoid making specific proposals, because I do not feel like it is truly my place to define the standard. However, given that I'm the one person here who has actually written the code to create and verify xmlDSig and XAdES signatures, perhaps it would be good to put a proposal on the table, and then we can get the other implementers to comment and provide direction. I do not yet know the precise language for the document format, so please forgive me if I use incorrect terminology. For example, I see files in a zip archive. We refer to these as 'parts' in OOXML - I'll call them files below until I'm corrected, ditto with folders.
>
> 1) An ODF document signature shall be created using a signature as specified in [xmldsig]. An implementer is encouraged to support extensions as defined in [xades].
>
> 2) A document signature shall be created by signing the files contained within the archive based upon the unencrypted content of each file. A document signature may sign all or a portion of the document. If all of the document is to be signed, all files within the archive, excepting files contained within the META-INF folder, shall be contained within the signature by creating a Reference element for each as defined in [xmldsig].
>
> 3) A document signature shall be placed within the document-signatures element in the META-INF\documentsignature.xml file. A non-document signature may be created and placed in META-INF in a file to be defined by the implementer.
>
> 4) A KeyInfo element, as specified in [xmldsig], section 4.4 shall be present. The KeyInfo element shall contain an X509Data element containing at least an X509IssuerSerial element specifying the issuer and serial number of the signing certificate, and an X509Certificate element specifying the full signing certificate. Additional X509Certificate elements may be placed in the X509Data, or may be placed in the CertificateValues element of the XAdES Object, as defined in [xades] section 7.6.1. The additional certificates should represent the entire primary certificate chain used at signing time. [NOTE: This codifies what OOo is doing now.]
>
> 5) The Reference elements specifying the hash of each signed file within the archive shall contain a Type attribute specifying the type of data which is signed. [ NOTE - this needs refinement] Files contained within the archive shall have paths with a root established at the root of the archive, and shall have a Type of [ something specific to ODF here]. Reference elements with other Type attributes shall be considered to have a URI as defined in [xpath]. A Reference to an Object element within the Signature should have a Type attribute of "http://www.w3.org/2000/09/xmldsig#Object", and the Reference element specifying the hash of the XAdES SignedProperties element (if present) shall be as specified in [xades] section 6.3.1. [NOTE: This is a proper solution to the path resolution problem.]
>
> 5a) [TO BE DISCUSSED] Alternately, Reference elements specifying the hash of archive files may be placed in a Manifest element contained within an Object element, and it is implied that the paths shall refer to files contained within the archive, and the URI path shall be resolved from the root of the archive. [TBD - need to create a way to uniquely identify this Object]
>
> 6) The only permitted Transform elements which apply to files contained within the archive shall be canonicalization transforms, as specified in [xmldsig], section 6.5. [Note - mayhem can ensue if you allow an XLST transform, and you can end up signing odd things and throwing parsers into infinite loops - this is an important restriction.] A canonicalization Transform MUST be specified for all XML files.
>
> 7) The signing time shall be specified in the [Object you already create - #include