OASIS Open Document Format for Office Applications (OpenDocument) TC

Greetings.

I've published today at the wiki 
(http://wiki.oasis-open.org/office/DSigProposal) a proposal regarding 
the Digital Signature support on ODF 1.2, basically expanding the 
existing XMLDSIG proposal to also support XAdES.

This proposal was developed by me and Bob Joliffe, as he previously 
announced on the list 
(http://lists.oasis-open.org/archives/office/200804/msg00216.html).

I'm waiting your comments.

Best Regards,

Jomar

Hi Jomar

I've made a slight fix to the section on fragment signatures.  I think you lost some text copying and pasting to the wiki.

Regards
Bob

----- Jomar Silva 

Thanks for putting this proposal together.
 I'm very much interested in seeing strong signature support (and
encryption support) in ODF 1.2

I'm not familiar with XAdES.
 I see that in the W3C it was left as a Note, and not pursued as a
Recommendation.  Do we know why?  And why is the status of XAdES
in ETSI?  Do they now own and maintain it?  If so, should we
reference their latest version, and not the W3C's?

-Rob


Jomar Silva <jomar.silva@br.odfalliance.org>
wrote on 07/11/2008 01:00:11 PM:



> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal)
a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

Greetings

Given the recent discussions and consensus around workflow of proposals on the TC I would like to try and propose some kind of reasonable timeline for this one.

Can I suggest that 
(1) those who are interested try, during the course of this week ahead, to take a look at what is being proposed and return comments to the mailing list
(2) on the basis of the above, we schedule an agenda item for discussion in two weeks - ie 11 August

My understanding is that what is being proposed should not be too controversial or disruptive so it is my hope that we do have some consensus by then.

There is an open question raised by Rob Weir around the status of XaDes.  Jomar, can you tell us what is being referenced in Brazil?

Kind regards
Bob

----- Jomar Silva 

I have 2 questions about this proposal:


1)As I know, currently no office products support XAdES. So I would like to know the maturity of this ETSI specification in the market place. ODF is a practical standard that many office products are following up. If ODF introduces and depends on an external immature or unstable specification, this will bring confusion or difficulty for current office product implementations. I only get some experimental results from this link http://www.etsi.org/Application/Search/?search=XAdES.


2)This proposal adopts the XAdES version on W3C(http://www.w3.org/TR/2003/NOTE-XAdES-20030220/), which was submitted on the year 2003, but now still is in status of NOTE made available for W3C discussion only, and the copyright is hold by ETSI. So I would like to know what relationship between ETSI and W3C, and whether this relationship will bring some IP issues for ODF.



Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493   Fax: 86-10-82452887

NOTES:Ming Fei Jia/China/IBM   E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC


Bob Jolliffe ---07/28/2008 04:41:55 AM---Greetings






From:


Bob Jolliffe <bobj@dst.gov.za>



To:


Jomar Silva <jomar.silva@br.odfalliance.org>



Cc:


office TC <office@lists.oasis-open.org>



Date:


07/28/2008 04:41 AM



Subject:


Re: [office] Digital Signature proposal





Greetings


Given the recent discussions and consensus around workflow of proposals on the TC I would like to try and propose some kind of reasonable timeline for this one.


Can I suggest that

(1) those who are interested try, during the course of this week ahead, to take a look at what is being proposed and return comments to the mailing list

(2) on the basis of the above, we schedule an agenda item for discussion in two weeks - ie 11 August


My understanding is that what is being proposed should not be too controversial or disruptive so it is my hope that we do have some consensus by then.


There is an open question raised by Rob Weir around the status of XaDes.  Jomar, can you tell us what is being referenced in Brazil?


Kind regards

Bob


----- Jomar Silva <jomar.silva@br.odfalliance.org> wrote:

> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal) a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

> ---------------------------------------------------------------------

> To unsubscribe from this mail list, you must leave the OASIS TC that

> generates this mail.  Follow this link to all your TCs in OASIS at:

> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

>

>



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

Hi Ming

Thanks for raising these issues.  Taking you comments in reverse order:

2.  I agree we need to understand the W3C/ETSI relationship better.  The XAdES proposal was made as a result of requirements for use in Brazil.  I think we need to ask Jomar to tell us what the current status of XAdES implementation is there.  

1.  Agreed.  But there is a considerable scope for signing and validation tools outside of traditional "office products".   For example, the current specification allows for the signing of document fragments using XMLDsig.  There are no current office applications which do this, but it is still useful.  We are working on one such implementation for validating signatures in our workflows in the document management system.  Of course it would be great for office applications to support signing of a text section, but if they don't yet do this its not a disaster.  As long as those existing applications don't trash the signatures they don't understand or care about.

Regards
Bob

2008/7/30 Ming Fei Jia <jiamingf@cn.ibm.com>


I have 2 questions about this proposal:


1)As I know, currently no office products support XAdES. So I would like to know the maturity of this ETSI specification in the market place. ODF is a practical standard that many office products are following up. If ODF introduces and depends on an external immature or unstable specification, this will bring confusion or difficulty for current office product implementations. I only get some experimental results from this link http://www.etsi.org/Application/Search/?search=XAdES.


2)This proposal adopts the XAdES version on W3C(http://www.w3.org/TR/2003/NOTE-XAdES-20030220/), which was submitted on the year 2003, but now still is in status of NOTE made available for W3C discussion only, and the copyright is hold by ETSI. So I would like to know what relationship between ETSI and W3C, and whether this relationship will bring some IP issues for ODF.



Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493   Fax: 86-10-82452887

NOTES:Ming Fei Jia/China/IBM   E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC


Bob Jolliffe ---07/28/2008 04:41:55 AM---Greetings






From:


Bob Jolliffe <bobj@dst.gov.za>



To:


Jomar Silva <jomar.silva@br.odfalliance.org>



Cc:


office TC <office@lists.oasis-open.org>



Date:


07/28/2008 04:41 AM



Subject:


Re: [office] Digital Signature proposal





Greetings


Given the recent discussions and consensus around workflow of proposals on the TC I would like to try and propose some kind of reasonable timeline for this one.


Can I suggest that

(1) those who are interested try, during the course of this week ahead, to take a look at what is being proposed and return comments to the mailing list

(2) on the basis of the above, we schedule an agenda item for discussion in two weeks - ie 11 August


My understanding is that what is being proposed should not be too controversial or disruptive so it is my hope that we do have some consensus by then.


There is an open question raised by Rob Weir around the status of XaDes.  Jomar, can you tell us what is being referenced in Brazil?


Kind regards

Bob


----- Jomar Silva <jomar.silva@br.odfalliance.org> wrote:

> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal) a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

> ---------------------------------------------------------------------

> To unsubscribe from this mail list, you must leave the OASIS TC that

> generates this mail.  Follow this link to all your TCs in OASIS at:

> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

>

>



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

  


Hi Bob,


The XAdES adoption was proposed on Brazilian government by a group of
specialists that has analyzed several digital signatures standards and
they decided to use ETSI XAdES. XAdES simply extends the XMLDsig
standard, already used by BR Digital Signature infrastructure. If an
application already supports XMLDsig, it will only need to recognize
some aditional parameters to be compatible with XAdES, and if the
application developer choose to only support XMLDsig, it will still
being compliant with ODF 1.2. This specialist group works on a high
level institution in Brazil called ITI, that is related to Brazilian
Presidency of the Republic (www.iti.gov.br).


I've updated the proposal, to reference the ETSI XAdES document
(http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=21353).
There is also an additional document at ETSI website, regarding the
XAdES profiles
(http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=22942),
that defines 3 profiles that can be implemented by applications
developers, to assure interoperability (it seems to me that this is
more application-specific than something that we need to take care on
the file format).


I've also updated the proposed <dsig:document-signatures>
attribute, to use the same terms that is used by ETSI to the basic
signature types (XAdES-BES and XAdES-EPES).


To understand how Brazilian digital signature infrastructure is
working, please check (the pictures) of this presentation:
http://www.ciab.org.br/palestras/Wander%20Blanco%20Nunes.pdf (sorry...
Brazilian Portuguese, but you may understand the diagrams). There, you
may also see that BR infrastructure also use CADES/CMS, but its usage
inside ODF spec would be more difficult than using XAdES, an extension
of what is already defined on ODF (XMLDsig).


I've also checked the ETSI IPR page
(http://webapp.etsi.org/IPR/home.asp) and there are no patents
registered there regarding XAdES.


As I've wrote before, the Brazilian DigSig infrastructure (ICP-Brasil)
is being adopted as reference for some Latin America countries. There
is also a strong effort by Brazilian government to increase the usage
of digital signatures, even by small companies. This will means that
the Digital Signature capability will be presented on most companies in
Brazil on the next few years, and an Office Application that may use it
is really desired here.


Fell free to send me any other questions.


Best Regards,


Jomar



Bob Jolliffe escreveu:
a1820cc70807300452r71ab99daw803dc795c04a9066@mail.gmail.com" type="cite">
  
Hi Ming


Thanks for raising these issues.  Taking you comments in reverse order:


2.  I agree we need to understand the W3C/ETSI relationship better. 
The XAdES proposal was made as a result of requirements for use in
Brazil.  I think we need to ask Jomar to tell us what the current
status of XAdES implementation is there.  


1.  Agreed.  But there is a considerable scope for signing and
validation tools outside of traditional "office products".  For
example, the current specification allows for the signing of document
fragments using XMLDsig.  There are no current office applications
which do this, but it is still useful.  We are working on one such
implementation for validating signatures in our workflows in the
document management system.  Of course it would be great for office
applications to support signing of a text section, but if they don't
yet do this its not a disaster.  As long as those existing applications
don't trash the signatures they don't understand or care about.


Regards

Bob


  
2008/7/30 Ming Fei Jia <jiamingf@cn.ibm.com>

  

    

    
I have 2 questions about this proposal:


1)As I know, currently no office products support XAdES. So I would
like to know the maturity of this ETSI specification in the market
place. ODF is a practical standard that many office products are
following up. If ODF introduces and depends on an external immature or
unstable specification, this will bring confusion or difficulty for
current office product implementations. I only get some experimental
results from this link http://www.etsi.org/Application/Search/?search=XAdES.


2)This proposal adopts the XAdES version on W3C(http://www.w3.org/TR/2003/NOTE-XAdES-20030220/),
which was submitted on the year 2003, but now still is in status of
NOTE made available for W3C discussion only, and the copyright is hold
by ETSI. So I would like to know what relationship between ETSI and
W3C, and whether this relationship will bring some IP issues for ODF.



Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493 Fax: 86-10-82452887
NOTES:Ming
Fei Jia/China/IBM E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian
District, Beijing 100085, PRC

Bob Jolliffe
---07/28/2008 04:41:55 AM---Greetings


    

      

        

          

      From:
          

      Bob Jolliffe <bobj@dst.gov.za>
        
        

          

      To:
          

      
          

      Jomar Silva <jomar.silva@br.odfalliance.org>
        
        

          

      Cc:
          

      office TC <office@lists.oasis-open.org>
        
        

          

      Date:
          

      07/28/2008 04:41 AM
        
        

          

      Subject:
          

      Re: [office] Digital Signature proposal
        
      
    
    

    

    



Greetings


Given the recent discussions and consensus around workflow of proposals
on the TC I would like to try and propose some kind of reasonable
timeline for this one.


Can I suggest that

(1) those who are interested try, during the course of this week ahead,
to take a look at what is being proposed and return comments to the
mailing list

(2) on the basis of the above, we schedule an agenda item for
discussion in two weeks - ie 11 August


My understanding is that what is being proposed should not be too
controversial or disruptive so it is my hope that we do have some
consensus by then.


There is an open question raised by Rob Weir around the status of
XaDes.  Jomar, can you tell us what is being referenced in Brazil?


Kind regards

Bob


----- Jomar Silva <jomar.silva@br.odfalliance.org>
wrote:

> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal)
a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he
previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

>
---------------------------------------------------------------------

> To unsubscribe from this mail list, you must leave the OASIS TC
that

> generates this mail.  Follow this link to all your TCs in OASIS at:

> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

>

>



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



    
    
  
  


  

On this topic, has anyone on this TC covered cross-standard workflows to determine requirements?  A typical request is to take an ODF doc and archive it in PDF format.  Ensuring the dSig info can be archived in a format that it will still be capable of being authenticated 50 years from now is a hot topic with lots of governments.  We might want to look at the ISO PDF and ISO PDF-A specs to see what users need so we don’t forget about these workflows.


Dune



On 30/07/08 9:03 AM, "Jomar Silva" <jomar.silva@br.odfalliance.org> wrote:


Hi Bob,


The XAdES adoption was proposed on Brazilian government by a group of specialists that has analyzed several digital signatures standards and they decided to use ETSI XAdES. XAdES simply extends the XMLDsig standard, already used by BR Digital Signature infrastructure. If an application already supports XMLDsig, it will only need to recognize some aditional parameters to be compatible with XAdES, and if the application developer choose to only support XMLDsig, it will still being compliant with ODF 1.2. This specialist group works on a high level institution in Brazil called ITI, that is related to Brazilian Presidency of the Republic (www.iti.gov.br <http://www.iti.gov.br> ).


I've updated the proposal, to reference the ETSI XAdES document (http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=21353). There is also an additional document at ETSI website, regarding the XAdES profiles (http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=22942), that defines 3 profiles that can be implemented by applications developers, to assure interoperability (it seems to me that this is more application-specific than something that we need to take care on the file format).


I've also updated the proposed <dsig:document-signatures> attribute, to use the same terms that is used by ETSI to the basic signature types (XAdES-BES and XAdES-EPES).


To understand how Brazilian digital signature infrastructure is working, please check (the pictures) of this presentation: http://www.ciab.org.br/palestras/Wander%20Blanco%20Nunes.pdf (sorry... Brazilian Portuguese, but you may understand the diagrams). There, you may also see that BR infrastructure also use CADES/CMS, but its usage inside ODF spec would be more difficult than using XAdES, an extension of what is already defined on ODF (XMLDsig).


I've also checked the ETSI IPR page (http://webapp.etsi.org/IPR/home.asp) and there are no patents registered there regarding XAdES.


As I've wrote before, the Brazilian DigSig infrastructure (ICP-Brasil) is being adopted as reference for some Latin America countries. There is also a strong effort by Brazilian government to increase the usage of digital signatures, even by small companies. This will means that the Digital Signature capability will be presented on most companies in Brazil on the next few years, and an Office Application that may use it is really desired here.


Fell free to send me any other questions.


Best Regards,


Jomar



Bob Jolliffe escreveu:



Hi Ming

 

Thanks for raising these issues.  Taking you comments in reverse order:

 

2.  I agree we need to understand the W3C/ETSI relationship better. The XAdES proposal was made as a result of requirements for use in Brazil.  I think we need to ask Jomar to tell us what the current status of XAdES implementation is there.   

 

1.  Agreed.  But there is a considerable scope for signing and validation tools outside of traditional "office products".  For example, the current specification allows for the signing of document fragments using XMLDsig.  There are no current office applications which do this, but it is still useful.  We are working on one such implementation for validating signatures in our workflows in the document management system.  Of course it would be great for office applications to support signing of a text section, but if they don't yet do this its not a disaster.  As long as those existing applications don't trash the signatures they don't understand or care about.

 

Regards

Bob

 

 

2008/7/30 Ming Fei Jia <jiamingf@cn.ibm.com>

 



 


I have 2 questions about this proposal:

 

1)As I know, currently no office products support XAdES. So I would like to know the maturity of this ETSI specification in the market place. ODF is a practical standard that many office products are following up. If ODF introduces and depends on an external immature or unstable specification, this will bring confusion or difficulty for current office product implementations. I only get some experimental results from this link http://www.etsi.org/Application/Search/?search=XAdES.

 

2)This proposal adopts the XAdES version on W3C(http://www.w3.org/TR/2003/NOTE-XAdES-20030220/), which was submitted on the year 2003, but now still is in status of NOTE made available for W3C discussion only, and the copyright is hold by ETSI. So I would like to know what relationship between ETSI and W3C, and whether this relationship will bring some IP issues for ODF.

 

 

Best Regards,

 

Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493 Fax: 86-10-82452887

 NOTES:Ming Fei Jia/China/IBM E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC

 

 Bob Jolliffe ---07/28/2008 04:41:55 AM---Greetings



 

   

 

 From:

 Bob Jolliffe <bobj@dst.gov.za>  

 

 To:

  

 Jomar Silva <jomar.silva@br.odfalliance.org>  

 

 Cc:

 office TC <office@lists.oasis-open.org>  

 

 Date:

 07/28/2008 04:41 AM  

 

 Subject:

 Re: [office] Digital Signature proposal    



 


 

 

 Greetings

 

Given the recent discussions and consensus around workflow of proposals on the TC I would like to try and propose some kind of reasonable timeline for this one.

 

Can I suggest that

(1) those who are interested try, during the course of this week ahead, to take a look at what is being proposed and return comments to the mailing list

(2) on the basis of the above, we schedule an agenda item for discussion in two weeks - ie 11 August

 

My understanding is that what is being proposed should not be too controversial or disruptive so it is my hope that we do have some consensus by then.

 

There is an open question raised by Rob Weir around the status of XaDes.  Jomar, can you tell us what is being referenced in Brazil?

 

Kind regards

Bob

 

----- Jomar Silva <jomar.silva@br.odfalliance.org> wrote:

> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal) a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

> ---------------------------------------------------------------------

> To unsubscribe from this mail list, you must leave the OASIS TC that

> generates this mail.  Follow this link to all your TCs in OASIS at:

> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

>

>

 

 

---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

 https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

 



 

 

 

 

 

 





--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

2008/7/30 Duane Nickull 

Dave:

The PDF archive format can preserve a block of bytes representing the
original document plus the signature dictionary which contains information
about the hashing algorithm, the key and signature values in a manner that
they can be preserved and tested in the future.  The exact mechanism is very
complex and includes callback to test as the file is being written out to
disk to ensure no tampering occurred between the time it was signed and the
persistence to disk as well as other safeguards.

The PDF itself could be signed again thus making two certification events
per document.  Multiple signatures on a document have extra complexity as
you first have to certify documents.   It basically works on a function
v(function v(function v()))... Basis.  The second signature or certification
event includes the bytes used by the first set of signatures.

Based on currently acceptable algorithms and historic CPU breakthroughs, I
would suspect that what people use today for Dsig is not what will be
acceptable tomorrow for things like certifying documents.

I have a set of PDF slides on the PDF signature mechanism if anyone wants to
understand this in more detail.

Duane


On 30/07/08 9:41 AM, "Dave Pawson" 

2008/7/30 Duane Nickull 

On 30/07/08 10:28 AM, "Dave Pawson" 

Duane Nickull 

Good thoughts Robert.  I think we ought to call in the right people.  You have an expert working for IBM by the name of Mary-ann Hondo (spelling?).  I worked with her in other standards groups.  I would also like to suggest we bring in some Adobe experts (people who know way more than me) and perhaps some neutral government people who are responsible for policy in this area.


The rationale?  It would be pointless to build this part of the ODF specification and find out later it doesn’t meet the minimal requirements for 9/10 governments worldwide.  Let’s at least attempt to get it right and make sure that implementers are not locked outside of government contracts due to the spec being sub-standard.


My $0.02 CAD.


Duane



On 31/07/08 2:44 PM, "robert_weir@us.ibm.com" <robert_weir@us.ibm.com> wrote:


Duane Nickull <dnickull@adobe.com> wrote on 07/30/2008 01:49:45 PM:


>

> It sounds like this TC has not documented dSig requirements from users.

As

> a big fan of ODF, I would like to suggest we consider collecting some as

I

> would hate to see implementations of ODF get pushed aside based on not

> meeting the basic requirements for dSig.  I can help reach out to the

> Canadian Government, maybe UK, Austria, Germany and US too.

>

> Thoughts?

>


Document security, both on the encryption and digital signature side is a

critical issue to get right.  I know that I'm not an expert in the area,

but my gut feeling is that we need to bring in some expertise.  This is

similar to what we did when we brought it accessibility experts to

evaluate our gaps and options with ODF 1.0.


The concerns I have are:


1) XAdES appears to satisfy the requirements of Brazil and possible

Europe.  But what about the US (FIPS)?  What about Japan?  What about

China?  Most of the ODF vendors today are selling their products

internationally.  The open source implementations are certainly

distributing internationally.  So I think we need a more comprehensive

view of what the digital signature requirements are globally.  Although

XAdES may be part of this, I think it may be worth getting the

requirements up front and to work this out comprehensively.  Maybe it

means we need W3C XML DigSig and 3 other standards, including XAdES.  I

don't know.  But I don't want to wait for ODF 2.0 for this.  I want us to

get this done for ODF 1.2.


2) Are we doing the right thing for encryption?  I read one blog post by a

security expert suggesting that what we have specified today may not be

adequate:

http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx


3) Are we doing what we need now, to be flexible for what we may add

tomorrow?  For example, we may not allow field level encryption today, or

slide-level signatures today, or multiple author signatures on overlapping

parts of a document, but let's make sure that we don't specify these

things in a way which would preclude us from adding more advanced features

later.  I'd like to be able to wave my arms and describe how these

features could be done, by extending what we have specified, without

looking too foolish.


Again, this is not my area of expertise, but I can certainly tap into

security expertise within IBM.  I wonder whether it would be worth putting

together a few experts from TC members and member companies to review what

we have today, and Jomar's/Bob's proposal, and suggest additional

requirements that should be met for ODF 1.2, and serve as a reviewer of

the security areas of the eventual draft text.  This could be done as a

"security subcommittee" like we did with accessibility.  Or we could do it

with a few conference calls, outside of the normal TC call schedule.


In the end we need these features in ODF to be world class, because that

is our audience.


-Rob




--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

  


There is another TC on OASIS that may help us with that:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss


They are the OASIS Digital Signature Services TC and I think that they
should have a broader view about that subject.


Best,


Jomar


Duane Nickull escreveu:
25dnickull@adobe.com" type="cite">
  
  
  Good thoughts Robert.  I think we ought to call in the right
people.  You have an expert working for IBM by the name of Mary-ann
Hondo (spelling?).  I worked with her in other standards groups.  I
would also like to suggest we bring in some Adobe experts (people who
know way more than me) and perhaps some neutral government people who
are responsible for policy in this area.


The rationale?  It would be pointless to build this part of the ODF
specification and find out later it doesn’t meet the minimal
requirements for 9/10 governments worldwide.  Let’s at least attempt to
get it right and make sure that implementers are not locked outside of
government contracts due to the spec being sub-standard.


My $0.02 CAD.


Duane



On 31/07/08 2:44 PM, "robert_weir@us.ibm.com" <robert_weir@us.ibm.com>
wrote:


  
  
 Duane Nickull <dnickull@adobe.com> wrote on
07/30/2008 01:49:45 PM:


>

> It sounds like this TC has not documented dSig requirements from
users.

As

> a big fan of ODF, I would like to suggest we consider collecting
some as

I

> would hate to see implementations of ODF get pushed aside based on
not

> meeting the basic requirements for dSig.  I can help reach out to
the

> Canadian Government, maybe UK, Austria, Germany and US too.

>

> Thoughts?

>


Document security, both on the encryption and digital signature side is
a

critical issue to get right.  I know that I'm not an expert in the area,

but my gut feeling is that we need to bring in some expertise.  This is

similar to what we did when we brought it accessibility experts to

evaluate our gaps and options with ODF 1.0.


The concerns I have are:


1) XAdES appears to satisfy the requirements of Brazil and possible

Europe.  But what about the US (FIPS)?  What about Japan?  What about

China?  Most of the ODF vendors today are selling their products

internationally.  The open source implementations are certainly

distributing internationally.  So I think we need a more comprehensive

view of what the digital signature requirements are globally.  Although

XAdES may be part of this, I think it may be worth getting the

requirements up front and to work this out comprehensively.  Maybe it

means we need W3C XML DigSig and 3 other standards, including XAdES.  I

don't know.  But I don't want to wait for ODF 2.0 for this.  I want us
to

get this done for ODF 1.2.


2) Are we doing the right thing for encryption?  I read one blog post
by a

security expert suggesting that what we have specified today may not be

adequate:
http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx


3) Are we doing what we need now, to be flexible for what we may add

tomorrow?  For example, we may not allow field level encryption today,
or

slide-level signatures today, or multiple author signatures on
overlapping

parts of a document, but let's make sure that we don't specify these

things in a way which would preclude us from adding more advanced
features

later.  I'd like to be able to wave my arms and describe how these

features could be done, by extending what we have specified, without

looking too foolish.


Again, this is not my area of expertise, but I can certainly tap into

security expertise within IBM.  I wonder whether it would be worth
putting

together a few experts from TC members and member companies to review
what

we have today, and Jomar's/Bob's proposal, and suggest additional

requirements that should be met for ODF 1.2, and serve as a reviewer of

the security areas of the eventual draft text.  This could be done as a

"security subcommittee" like we did with accessibility.  Or we could do
it

with a few conference calls, outside of the normal TC call schedule.


In the end we need these features in ODF to be world class, because that

is our audience.


-Rob

 
  

--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

   

Jomar:


Excellent suggestion!  Although I cannot (as a point of order) invite people on behalf of the TC, I do know my Adobe colleagues on the DSS TC.  I have cc’d them.  They have expressed a willingness to help.  Would anyone object to inviting them to a future meeting to help us understand what we need to know?  Maybe this TC needs to contemplate setting up an official liaison as per the OASIS procedures?


Just an idea to put out there.


Duane



On 31/07/08 3:17 PM, "Jomar Silva" <jomar.silva@br.odfalliance.org> wrote:


There is another TC on OASIS that may help us with that: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss


They are the OASIS Digital Signature Services TC and I think that they should have a broader view about that subject.


Best,


Jomar


Duane Nickull escreveu:

  Re: [office] Digital Signature proposal Good thoughts Robert.  I think we ought to call in the right people.  You have an expert working for IBM by the name of Mary-ann Hondo (spelling?).  I worked with her in other standards groups.  I would also like to suggest we bring in some Adobe experts (people who know way more than me) and perhaps some neutral government people who are responsible for policy in this area.

 

The rationale?  It would be pointless to build this part of the ODF specification and find out later it doesn’t meet the minimal requirements for 9/10 governments worldwide.  Let’s at least attempt to get it right and make sure that implementers are not locked outside of government contracts due to the spec being sub-standard.

 

My $0.02 CAD.

 

Duane

 

 

On 31/07/08 2:44 PM, "robert_weir@us.ibm.com" <robert_weir@us.ibm.com> wrote:

 

  

 Duane Nickull <dnickull@adobe.com> wrote on 07/30/2008 01:49:45 PM:

 

>

> It sounds like this TC has not documented dSig requirements from users.

As

> a big fan of ODF, I would like to suggest we consider collecting some as

I

> would hate to see implementations of ODF get pushed aside based on not

> meeting the basic requirements for dSig.  I can help reach out to the

> Canadian Government, maybe UK, Austria, Germany and US too.

>

> Thoughts?

>

 

Document security, both on the encryption and digital signature side is a

critical issue to get right.  I know that I'm not an expert in the area,

but my gut feeling is that we need to bring in some expertise.  This is

similar to what we did when we brought it accessibility experts to

evaluate our gaps and options with ODF 1.0.

 

The concerns I have are:

 

1) XAdES appears to satisfy the requirements of Brazil and possible

Europe.  But what about the US (FIPS)?  What about Japan?  What about

China?  Most of the ODF vendors today are selling their products

internationally.  The open source implementations are certainly

distributing internationally.  So I think we need a more comprehensive

view of what the digital signature requirements are globally.  Although

XAdES may be part of this, I think it may be worth getting the

requirements up front and to work this out comprehensively.  Maybe it

means we need W3C XML DigSig and 3 other standards, including XAdES.  I

don't know.  But I don't want to wait for ODF 2.0 for this.  I want us to

get this done for ODF 1.2.

 

2) Are we doing the right thing for encryption?  I read one blog post by a

security expert suggesting that what we have specified today may not be

adequate:

 http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx

 

3) Are we doing what we need now, to be flexible for what we may add

tomorrow?  For example, we may not allow field level encryption today, or

slide-level signatures today, or multiple author signatures on overlapping

parts of a document, but let's make sure that we don't specify these

things in a way which would preclude us from adding more advanced features

later.  I'd like to be able to wave my arms and describe how these

features could be done, by extending what we have specified, without

looking too foolish.

 

Again, this is not my area of expertise, but I can certainly tap into

security expertise within IBM.  I wonder whether it would be worth putting

together a few experts from TC members and member companies to review what

we have today, and Jomar's/Bob's proposal, and suggest additional

requirements that should be met for ODF 1.2, and serve as a reviewer of

the security areas of the eventual draft text.  This could be done as a

"security subcommittee" like we did with accessibility.  Or we could do it

with a few conference calls, outside of the normal TC call schedule.

 

In the end we need these features in ODF to be world class, because that

is our audience.

 

-Rob

 

  





--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

Agree with this standpoint. I'll consult the China corresponding standard body about their requirements and policies for digital signature/encryption, especially in office software areas.


Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493   Fax: 86-10-82452887

NOTES:Ming Fei Jia/China/IBM   E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC


Duane Nickull ---08/01/2008 06:09:06 AM---Good thoughts Robert. I think we ought to call in the right people. You have an expert working for IBM by the name of Mary-an






From:


Duane Nickull <dnickull@adobe.com>



To:


<robert_weir@us.ibm.com>, <office@lists.oasis-open.org>



Date:


08/01/2008 06:09 AM



Subject:


Re: [office] Digital Signature proposal





Good thoughts Robert.  I think we ought to call in the right people.  You have an expert working for IBM by the name of Mary-ann Hondo (spelling?).  I worked with her in other standards groups.  I would also like to suggest we bring in some Adobe experts (people who know way more than me) and perhaps some neutral government people who are responsible for policy in this area.


The rationale?  It would be pointless to build this part of the ODF specification and find out later it doesn’t meet the minimal requirements for 9/10 governments worldwide.  Let’s at least attempt to get it right and make sure that implementers are not locked outside of government contracts due to the spec being sub-standard.


My $0.02 CAD.


Duane



On 31/07/08 2:44 PM, "robert_weir@us.ibm.com" <robert_weir@us.ibm.com> wrote:



Duane Nickull <dnickull@adobe.com> wrote on 07/30/2008 01:49:45 PM:


>

> It sounds like this TC has not documented dSig requirements from users.

As

> a big fan of ODF, I would like to suggest we consider collecting some as

I

> would hate to see implementations of ODF get pushed aside based on not

> meeting the basic requirements for dSig.  I can help reach out to the

> Canadian Government, maybe UK, Austria, Germany and US too.

>

> Thoughts?

>


Document security, both on the encryption and digital signature side is a

critical issue to get right.  I know that I'm not an expert in the area,

but my gut feeling is that we need to bring in some expertise.  This is

similar to what we did when we brought it accessibility experts to

evaluate our gaps and options with ODF 1.0.


The concerns I have are:


1) XAdES appears to satisfy the requirements of Brazil and possible

Europe.  But what about the US (FIPS)?  What about Japan?  What about

China?  Most of the ODF vendors today are selling their products

internationally.  The open source implementations are certainly

distributing internationally.  So I think we need a more comprehensive

view of what the digital signature requirements are globally.  Although

XAdES may be part of this, I think it may be worth getting the

requirements up front and to work this out comprehensively.  Maybe it

means we need W3C XML DigSig and 3 other standards, including XAdES.  I

don't know.  But I don't want to wait for ODF 2.0 for this.  I want us to

get this done for ODF 1.2.


2) Are we doing the right thing for encryption?  I read one blog post by a

security expert suggesting that what we have specified today may not be

adequate: 

http://blogs.msdn.com/david_leblanc/archive/2008/07/03/office-crypto-follies.aspx


3) Are we doing what we need now, to be flexible for what we may add

tomorrow?  For example, we may not allow field level encryption today, or

slide-level signatures today, or multiple author signatures on overlapping

parts of a document, but let's make sure that we don't specify these

things in a way which would preclude us from adding more advanced features

later.  I'd like to be able to wave my arms and describe how these

features could be done, by extending what we have specified, without

looking too foolish.


Again, this is not my area of expertise, but I can certainly tap into

security expertise within IBM.  I wonder whether it would be worth putting

together a few experts from TC members and member companies to review what

we have today, and Jomar's/Bob's proposal, and suggest additional

requirements that should be met for ODF 1.2, and serve as a reviewer of

the security areas of the eventual draft text.  This could be done as a

"security subcommittee" like we did with accessibility.  Or we could do it

with a few conference calls, outside of the normal TC call schedule.


In the end we need these features in ODF to be world class, because that

is our audience.


-Rob





--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

Thanks explanation although that can not convince me completely. You said "...if the application developer choose to only support XMLDsig, it will still being compliant with ODF 1.2...". Is that true?  XMLDsig and XAdES are as different options in the proposal. If the application only implements XMLDsig, could the application claim to be compliant with ODF standard? I think at most it can claim partial compliant. This is the conformance issue.


Another is the interoperability issue. Assume one application only implements XMLDsig, another application only implements XAdES. How does the first application validate the signed document with XAdES format generated by the second application? Seems no way,even both the two applications claim to be compliant with the same ODF standard.



Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493   Fax: 86-10-82452887

NOTES:Ming Fei Jia/China/IBM   E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC


Jomar Silva ---07/31/2008 12:16:14 AM---Hi Bob,






From:


Jomar Silva <jomar.silva@br.odfalliance.org>



To:


Bob Jolliffe <bobjolliffe@gmail.com>



Cc:


Ming Fei Jia/China/IBM@IBMCN, office TC <office@lists.oasis-open.org>



Date:


07/31/2008 12:16 AM



Subject:


Re: [office] Digital Signature proposal





Hi Bob,


The XAdES adoption was proposed on Brazilian government by a group of specialists that has analyzed several digital signatures standards and they decided to use ETSI XAdES. XAdES simply extends the XMLDsig standard, already used by BR Digital Signature infrastructure. If an application already supports XMLDsig, it will only need to recognize some aditional parameters to be compatible with XAdES, and if the application developer choose to only support XMLDsig, it will still being compliant with ODF 1.2. This specialist group works on a high level institution in Brazil called ITI, that is related to Brazilian Presidency of the Republic (www.iti.gov.br).


I've updated the proposal, to reference the ETSI XAdES document (http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=21353). There is also an additional document at ETSI website, regarding the XAdES profiles (http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=22942), that defines 3 profiles that can be implemented by applications developers, to assure interoperability (it seems to me that this is more application-specific than something that we need to take care on the file format).


I've also updated the proposed <dsig:document-signatures> attribute, to use the same terms that is used by ETSI to the basic signature types (XAdES-BES and XAdES-EPES).


To understand how Brazilian digital signature infrastructure is working, please check (the pictures) of this presentation: http://www.ciab.org.br/palestras/Wander%20Blanco%20Nunes.pdf (sorry... Brazilian Portuguese, but you may understand the diagrams). There, you may also see that BR infrastructure also use CADES/CMS, but its usage inside ODF spec would be more difficult than using XAdES, an extension of what is already defined on ODF (XMLDsig).


I've also checked the ETSI IPR page (http://webapp.etsi.org/IPR/home.asp) and there are no patents registered there regarding XAdES.


As I've wrote before, the Brazilian DigSig infrastructure (ICP-Brasil) is being adopted as reference for some Latin America countries. There is also a strong effort by Brazilian government to increase the usage of digital signatures, even by small companies. This will means that the Digital Signature capability will be presented on most companies in Brazil on the next few years, and an Office Application that may use it is really desired here.


Fell free to send me any other questions.


Best Regards,


Jomar



Bob Jolliffe escreveu: 

Hi Ming


Thanks for raising these issues.  Taking you comments in reverse order:


2.  I agree we need to understand the W3C/ETSI relationship better.  The XAdES proposal was made as a result of requirements for use in Brazil.  I think we need to ask Jomar to tell us what the current status of XAdES implementation is there.


1.  Agreed.  But there is a considerable scope for signing and validation tools outside of traditional "office products".  For example, the current specification allows for the signing of document fragments using XMLDsig.  There are no current office applications which do this, but it is still useful.  We are working on one such implementation for validating signatures in our workflows in the document management system.  Of course it would be great for office applications to support signing of a text section, but if they don't yet do this its not a disaster.  As long as those existing applications don't trash the signatures they don't understand or care about.


Regards

Bob



2008/7/30 Ming Fei Jia <jiamingf@cn.ibm.com>
I have 2 questions about this proposal:


1)As I know, currently no office products support XAdES. So I would like to know the maturity of this ETSI specification in the market place. ODF is a practical standard that many office products are following up. If ODF introduces and depends on an external immature or unstable specification, this will bring confusion or difficulty for current office product implementations. I only get some experimental results from this link http://www.etsi.org/Application/Search/?search=XAdES.


2)This proposal adopts the XAdES version on W3C(http://www.w3.org/TR/2003/NOTE-XAdES-20030220/), which was submitted on the year 2003, but now still is in status of NOTE made available for W3C discussion only, and the copyright is hold by ETSI. So I would like to know what relationship between ETSI and W3C, and whether this relationship will bring some IP issues for ODF.



Best Regards,


Mingfei Jia(贾明飞)

IBM Lotus Symphony Development

IBM China Software Development LAB, Beijing

Tel: 86-10-82452493 Fax: 86-10-82452887

NOTES:Ming Fei Jia/China/IBM E-mail: jiamingf@cn.ibm.com

Address: 4/F, DeShi Building No.9, East Road, ShangDi, Haidian District, Beijing 100085, PRC


Bob Jolliffe ---07/28/2008 04:41:55 AM---Greetings








From:


Bob Jolliffe <bobj@dst.gov.za>




To:


Jomar Silva <jomar.silva@br.odfalliance.org>



Cc:


office TC <office@lists.oasis-open.org>




Date:


07/28/2008 04:41 AM




Subject:


Re: [office] Digital Signature proposal












Greetings


Given the recent discussions and consensus around workflow of proposals on the TC I would like to try and propose some kind of reasonable timeline for this one.


Can I suggest that

(1) those who are interested try, during the course of this week ahead, to take a look at what is being proposed and return comments to the mailing list

(2) on the basis of the above, we schedule an agenda item for discussion in two weeks - ie 11 August


My understanding is that what is being proposed should not be too controversial or disruptive so it is my hope that we do have some consensus by then.


There is an open question raised by Rob Weir around the status of XaDes.  Jomar, can you tell us what is being referenced in Brazil?


Kind regards

Bob


----- Jomar Silva <jomar.silva@br.odfalliance.org> wrote:

> Greetings.

>

> I've published today at the wiki

> (http://wiki.oasis-open.org/office/DSigProposal) a proposal regarding

> the Digital Signature support on ODF 1.2, basically expanding the

> existing XMLDSIG proposal to also support XAdES.

>

> This proposal was developed by me and Bob Joliffe, as he previously

> announced on the list

> (http://lists.oasis-open.org/archives/office/200804/msg00216.html).

>

> I'm waiting your comments.

>

> Best Regards,

>

> Jomar

>

> ---------------------------------------------------------------------

> To unsubscribe from this mail list, you must leave the OASIS TC that

> generates this mail.  Follow this link to all your TCs in OASIS at:

> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

>

>



---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

2008/7/31 Ming Fei Jia 

  


I just would like to remember that an application that support XAdES
will also support XMLDsig (XAdES is an extension of it).


I also believe that an application that support only XMLDsig, will be
(or may be) able to validate just the XMLDsig portion of the XAdES
signature.


There are diagrams here (http://www.w3.org/TR/XAdES/) that demonstrate
the differences between XMLDsig and XAdES.


Best,


Jomar


Dave Pawson escreveu:
711a73df0807310957v16b85cacs1b3dd7ce92543249@mail.gmail.com" type="cite">
  
2008/7/31 Ming Fei Jia <jiamingf@cn.ibm.com>:
  
  

    
Thanks explanation although that can not convince me completely. You said
"...if the application developer choose to only support XMLDsig, it will
still being compliant with ODF 1.2...". Is that true? XMLDsig and XAdES are
as different options in the proposal. If the application only implements
XMLDsig, could the application claim to be compliant with ODF standard? I
think at most it can claim partial compliant. This is the conformance issue.

Another is the interoperability issue. Assume one application only
implements XMLDsig, another application only implements XAdES. How does the
first application validate the signed document with XAdES format generated
by the second application? Seems no way,even both the two applications claim
to be compliant with the same ODF standard.
    
  
  


A conformance issue for ODF?
Seems the TC has to choose one or the other if interoperability is
to work for signed documents.


regards






  

I am not sure exactly how one should define conformance in this
context.  I don't think we are saying anywhere that an application has
to *necessarily* be able to generate or validate signatures to be
compliant.  I believe there are many odf applications out there which
don't do either of these.   I guess this is a difference between formal
compliance and semantic compliance.


As it is there are no applications out there which support all of the features of
XMLDSig.  So including the XAdES extension - which mostly means
including the XAdES namespace declaration - simply allows applications
to make use of the extensions if they choose to, which is not that
different to the status quo.


On interoperability issues, the XAdES extension makes use of the
<Object> element in XMLDSig to add additional qualifying
properties to the signature.  A XAdES signature should thus validate
correctly with an XMLDSig processor.  Obviously it would ignore the
important qualifying properties like <SigningTime>, but otherwise will interoperate just dandy.

Going the other way poses one small issue which is worth noting.  The XAdES specification requires that all of the XMLDSig elements are prefixed <ds:Signature> etc.  Currently, with XMLDSig the prefix is optional.  If interoperability is an issue (which of course it is) we should have a strong recommendation that producers of XMLDSig signatures make use of the prefix.


Regards

Bob

2008/7/31 Jomar Silva <jomar.silva@br.odfalliance.org>




  


I just would like to remember that an application that support XAdES
will also support XMLDsig (XAdES is an extension of it).


I also believe that an application that support only XMLDsig, will be
(or may be) able to validate just the XMLDsig portion of the XAdES
signature.


There are diagrams here (http://www.w3.org/TR/XAdES/) that demonstrate
the differences between XMLDsig and XAdES.


Best,


Jomar


Dave Pawson escreveu:

  
2008/7/31 Ming Fei Jia <jiamingf@cn.ibm.com>:
  
  

    
Thanks explanation although that can not convince me completely. You said
"...if the application developer choose to only support XMLDsig, it will
still being compliant with ODF 1.2...". Is that true? XMLDsig and XAdES are
as different options in the proposal. If the application only implements
XMLDsig, could the application claim to be compliant with ODF standard? I
think at most it can claim partial compliant. This is the conformance issue.

Another is the interoperability issue. Assume one application only
implements XMLDsig, another application only implements XAdES. How does the
first application validate the signed document with XAdES format generated
by the second application? Seems no way,even both the two applications claim
to be compliant with the same ODF standard.
    
  
  
A conformance issue for ODF?
Seems the TC has to choose one or the other if interoperability is
to work for signed documents.


regards






  

2008/7/31 Bob Jolliffe 

I would highly recommend using government requirements for compliancy.  Things like FIPS are often pre-requisites to use by these end users and they need confidence to know that Dsig can be counted on if implementations claim conformancy. I would go as far as to maybe set up a Sub Committee to write a test that a conforming application must pass (such as changing one byte and requiring the signature digest to report that the document has been changed, being able to authenticate and determine a digital cert is still valid etc.).


Duane



On 31/07/08 11:41 AM, "Dave Pawson" <dave.pawson@gmail.com> wrote:


2008/7/31 Bob Jolliffe <bobjolliffe@gmail.com>:

> I am not sure exactly how one should define conformance in this context.  I

> don't think we are saying anywhere that an application has to *necessarily*

> be able to generate or validate signatures to be compliant.  I believe there

> are many odf applications out there which don't do either of these.   I

> guess this is a difference between formal compliance and semantic

> compliance.


So if it's not supported, is the application compliant?

If it's an optional feature, and an application supports dig sig

then it may be compliant.

Ditto if it supports XAdES it may be compliant.


If it supports digSig but not XAdES is it compliant or not? I'd suggest not.

( I noted a 'may' in the last email). That leaves the app able to work

with digsig but not with XAdES signatures. An interop hell if anyone cares.


The spec must have a clause for which a compliance statement can

be made clearly and without ambiguity. 'may use an extension' doesn't

seem like clear compliance to me.


regards



--

Dave Pawson

XSLT XSL-FO FAQ.

http://www.dpawson.co.uk


---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php





--

**********************************************************************

Senior Technical Evangelist - Adobe Systems, Inc.

Duane's World TV Show - http://www.duanesworldtv.org/

Blog - http://technoracle.blogspot.com

Community Music - http://www.mix2r.com

My Band - http://www.myspace.com/22ndcentury

Adobe MAX 2008 - http://technoracle.blogspot.com/2007/08/adobe-max-2008.html

**********************************************************************

Jomar,

Jomar Silva wrote:
> I just would like to remember that an application that support XAdES 
> will also support XMLDsig (XAdES is an extension of it).
> 
> I also believe that an application that support only XMLDsig, will be 
> (or may be) able to validate just the XMLDsig portion of the XAdES 
> signature.

Both is my understanding as well.

When looking at your proposal: Is the 

Hello Michael

2008/8/8 Michael Brauer - Sun Germany - ham02 - Hamburg <Michael.Brauer@sun.com>

Jomar,



Jomar Silva wrote:


I just would like to remember that an application that support XAdES will also support XMLDsig (XAdES is an extension of it).


I also believe that an application that support only XMLDsig, will be (or may be) able to validate just the XMLDsig portion of the XAdES signature.



Both is my understanding as well.


When looking at your proposal: Is the <dsig:signature-type> element really required, or could an application guess that a signature is a XAdes signature by analyzing the content of the signature's <object> element?

I don't believe the <dsig:signature-type> element is absolutely required.  An application should be able to infer  the signature from the contents of the <object> element.

The idea is to provide some sort of hint to the application, but one could debate as to whether this is necessary or desirable.

Looking at the OASIS Digital Signature Services (DSS) profile for Advanced Digirtal Signatures (http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-AdES-spec-v1.0-os.html) it is interesting to note that they have an optional <SignatureType> element which is used for a different purpose:

"3.3.1.1.2.1     Optional Input
      <SignatureType>
      
This element is OPTIONAL. If present, <SignatureType> SHALL be either:
      
urn:ietf:rfc:3275
      
for requesting XML-based signatures, or
      
urn:ietf:rfc:3369
      
for requesting CMS-based signatures ..."
The same DSS spec does make use an element called <SignatureForm> to differentiate between different forms of XAdES signature in a signing request.  Section 7.1 of the document lists unique urn identifiers for the different forms of AdES signatures.  If we were to include such an element in ODF it might make sense for consistency

(1) to use the name signature-form rather than signature-type
(2) to use the same identifiers as listed in the DSS spec


If the <dsig:signature-type> element is not required, is it them required to list XAdes in the specification? Or can we simply say ODF supports XML DSig. XAdes signatures are an extension of XML DSig. ODF therefore automatically supports XAdes signatures.

Would it still be necessary to list the XAdES namespace declaration in order to validate XAdES signatures?  Otherwise we could only validate that it is a valid XML DSIG signature.

Similarly  we can already say that ODF supports the use of XML DSIG to sign fragments of an XML stream so there technically is nothing to add.  What I would like to see, as a requirement for conformance, is that applications don't  clobber those signatures if they don't use them.  This seems to be the current behaviour of openoffice for example.  This is why we suggested naming a particular file, fragment-signatures.xml, though this is not strictly necessary if applications agree not to remove files <xxx>-signatures.xml if they are referred in the manifest.

Regards
Bob



Michael




There are diagrams here (http://www.w3.org/TR/XAdES/) that demonstrate the differences between XMLDsig and XAdES.


Best,


Jomar


Dave Pawson escreveu:


2008/7/31 Ming Fei Jia <jiamingf@cn.ibm.com>:

  


Thanks explanation although that can not convince me completely. You said

"...if the application developer choose to only support XMLDsig, it will

still being compliant with ODF 1.2...". Is that true? XMLDsig and XAdES are

as different options in the proposal. If the application only implements

XMLDsig, could the application claim to be compliant with ODF standard? I

think at most it can claim partial compliant. This is the conformance issue.


Another is the interoperability issue. Assume one application only

implements XMLDsig, another application only implements XAdES. How does the

first application validate the signed document with XAdES format generated

by the second application? Seems no way,even both the two applications claim

to be compliant with the same ODF standard.

    




A conformance issue for ODF?

Seems the TC has to choose one or the other if interoperability is

to work for signed documents.



regards







  






--

Michael Brauer, Technical Architect Software Engineering

StarOffice/OpenOffice.org

Sun Microsystems GmbH             Nagelsweg 55

D-20097 Hamburg, Germany          michael.brauer@sun.com

http://sun.com/staroffice         +49 40 23646 500

http://blogs.sun.com/GullFOSS


Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1,

           D-85551 Kirchheim-Heimstetten

Amtsgericht Muenchen: HRB 161028

Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer

Vorsitzender des Aufsichtsrates: Martin Haering


---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that

generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Bob,

Bob Jolliffe wrote:
> I don't believe the 

Hi Michael

2008/8/11 Michael Brauer - Sun Germany - ham02 - Hamburg <Michael.Brauer@sun.com>

Bob,



Bob Jolliffe wrote:


I don't believe the <dsig:signature-type> element is absolutely required.  An application should be able to infer  the signature from the contents of the <object> element.


The idea is to provide some sort of hint to the application, but one could debate as to whether this is necessary or desirable.



It is my understanding that DSS describes signing and verifying protocols. I haven't had the time to have a closer look at the DSS specification, but maybe the DSS spec has some advice for us here. If a signing service in the case that a XAdes signature is requested would just create a XAdes signature, then the signature type probably is not required. If a signing service would store the information that a XAdes signature was requested, then we may want to do so, too, regardless whether this is necessary. It may also helpful to know whether a verifying service would auto-detect a XAdes signature, and how.

When the DSS service is used to request a signature it clearly needs to specify which format of signature is required.  Whether there is merit in storing a signature format indication together with the signature is still open to question - I will follow up and report back.






Looking at the OASIS Digital Signature Services (DSS) profile for Advanced Digirtal Signatures (http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-AdES-spec-v1.0-os.html) it is interesting to note that they have an optional <SignatureType> element which is used for a different purpose:


"3.3.1.1.2.1     Optional Input <SignatureType>


This element is OPTIONAL. If present, <SignatureType> SHALL be either:


*urn:ietf:rfc:3275*


for requesting XML-based signatures, or


*urn:ietf:rfc:3369*


for requesting CMS-based signatures ..."


The same DSS spec does make use an element called <SignatureForm> to differentiate between different forms of XAdES signature in a signing request.  Section 7.1 of the document lists unique urn identifiers for the different forms of AdES signatures.  If we were to include such an element in ODF it might make sense for consistency


(1) to use the name signature-form rather than signature-type


(2) to use the same identifiers as listed in the DSS spec



I agree to this.


DSS is a set of a core specification and a set of profiles. Maybe this is a structure we can or should adopt.
 
Agreed.  Though a well designed extensible "framework" for digital signatures in ODF might be a more significant amount of work.  I will investigate.

 





    If the <dsig:signature-type> element is not required, is it them

    required to list XAdes in the specification? Or can we simply say

    ODF supports XML DSig. XAdes signatures are an extension of XML

    DSig. ODF therefore automatically supports XAdes signatures.



Would it still be necessary to list the XAdES namespace declaration in order to validate XAdES signatures?  Otherwise we could only validate that it is a valid XML DSIG signature.


Similarly  we can already say that ODF supports the use of XML DSIG to sign fragments of an XML stream so there technically is nothing to add.  What I would like to see, as a requirement for conformance, is that applications don't clobber those signatures if they don't use them.  




How do you define "use"? Is that the load - modify (per user interaction) - save scenario? Or the situation where another signature is added to a document?
 
The load-modify-save scenario.  If I have a set of signatures in a file called META-INF/mysignatures.xml, for example, this file is removed (by openoffice) when I modify the document in any way.  I guess the application makes the assumption that modifying the document necessarily invalidates the signatures.  This is not a fair assumption to make as it prevents the signatures on parts of a document surviving load-modify-save sessions which only modify unsigned parts of the document.

Kind regards
Bob





This seems to be the current behaviour of openoffice for example.  This is why we suggested naming a particular file, fragment-signatures.xml, though this is not strictly necessary if applications agree not to remove files <xxx>-signatures.xml if they are referred in the manifest.




Best regards


Michael



--

Michael Brauer, Technical Architect Software Engineering

StarOffice/OpenOffice.org

Sun Microsystems GmbH             Nagelsweg 55

D-20097 Hamburg, Germany          michael.brauer@sun.com

http://sun.com/staroffice         +49 40 23646 500

http://blogs.sun.com/GullFOSS


Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1,

           D-85551 Kirchheim-Heimstetten

Amtsgericht Muenchen: HRB 161028

Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer

Vorsitzender des Aufsichtsrates: Martin Haering