OASIS Digital Signature Services eXtended (DSS-X) TC

Hi Chet, yet another question: What's the OASIS policy on CORS header? I just came across this topic when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json on https://editor.swagger.io fails without any hint. There should be some information for the user., but that's not our responsibility. After opening the browser I learned that the cause is a missing CORS header enabling the browser to access the DSS-X core spec in a cross-domain manner. Would it be possible to add the corresponding header? Greetings, Andreas -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales

Andreas, I don't fully understand your question. If it is whether or not you all can add a CORS header to some of your files, then yes, certainly, you can do so. If it whether or not I can add a CORS header, then my question is 'what do you need me to do and where do you need it done?' On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne < kuehne@trustable.de > wrote: Hi Chet, yet another question: What's the OASIS policy on CORS header? I just came across this topic when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json on https://editor.swagger.io fails without any hint. There should be some information for the user., but that's not our responsibility. After opening the browser I learned that the cause is a missing CORS header enabling the browser to access the DSS-X core spec in a cross-domain manner. Would it be possible to add the corresponding header? Greetings, Andreas -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393

Hi Chet, yes, I guess we need a CORS Header at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it could be absolutely possible that other files (XML schemes) could be accessed by a browser based application. Does OASIS has a policy for handling Cross-Site-Requests? We don't want to introduce an security holes or inconveniences for the administrators. Greetings, Andreas > Andreas, I don't fully understand your question. > > If it is whether or not you all can add a CORS header to some of your > files, then yes, certainly, you can do so. > > If it whether or not I can add a CORS header, then my question is 'what do > you need me to do and where do you need it done?' > > > > On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne <kuehne@trustable.de> wrote: > >> Hi Chet, >> >> >> yet another question: >> >> What's the OASIS policy on CORS header? I just came across this topic >> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >> >> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >> >> on >> >> https://editor.swagger.io >> >> fails without any hint. There should be some information for the user., >> but that's not our responsibility. After opening the browser I learned >> that the cause is a missing CORS header enabling the browser to access >> the DSS-X core spec in a cross-domain manner. >> >> Would it be possible to add the corresponding header? >> >> >> Greetings, >> >> >> Andreas >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales Attachment: smime.p7s Description: S/MIME Cryptographic Signature

I'll check and reply back. Need to check with Scott and IT. On Mon, Aug 5, 2019 at 2:51 PM Andreas Kuehne < kuehne@trustable.de > wrote: Hi Chet, yes, I guess we need a CORS Header at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it could be absolutely possible that other files (XML schemes) could be accessed by a browser based application. Does OASIS has a policy for handling Cross-Site-Requests? We don't want to introduce an security holes or inconveniences for the administrators. Greetings, Andreas > Andreas, I don't fully understand your question. > > If it is whether or not you all can add a CORS header to some of your > files, then yes, certainly, you can do so. > > If it whether or not I can add a CORS header, then my question is 'what do > you need me to do and where do you need it done?' > > > > On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne < kuehne@trustable.de > wrote: > >> Hi Chet, >> >> >> yet another question: >> >> What's the OASIS policy on CORS header? I just came across this topic >> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >> >> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >> >> on >> >> https://editor.swagger.io >> >> fails without any hint. There should be some information for the user., >> but that's not our responsibility. After opening the browser I learned >> that the cause is a missing CORS header enabling the browser to access >> the DSS-X core spec in a cross-domain manner. >> >> Would it be possible to add the corresponding header? >> >> >> Greetings, >> >> >> Andreas >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393

Hi Andreas - I've contacted Scott and Jesse about this. I'll let you know what I learn. I very much appreciate you asking before taking the action. Best, /chet On Mon, Aug 5, 2019 at 2:51 PM Andreas Kuehne < kuehne@trustable.de > wrote: Hi Chet, yes, I guess we need a CORS Header at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it could be absolutely possible that other files (XML schemes) could be accessed by a browser based application. Does OASIS has a policy for handling Cross-Site-Requests? We don't want to introduce an security holes or inconveniences for the administrators. Greetings, Andreas > Andreas, I don't fully understand your question. > > If it is whether or not you all can add a CORS header to some of your > files, then yes, certainly, you can do so. > > If it whether or not I can add a CORS header, then my question is 'what do > you need me to do and where do you need it done?' > > > > On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne < kuehne@trustable.de > wrote: > >> Hi Chet, >> >> >> yet another question: >> >> What's the OASIS policy on CORS header? I just came across this topic >> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >> >> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >> >> on >> >> https://editor.swagger.io >> >> fails without any hint. There should be some information for the user., >> but that's not our responsibility. After opening the browser I learned >> that the cause is a missing CORS header enabling the browser to access >> the DSS-X core spec in a cross-domain manner. >> >> Would it be possible to add the corresponding header? >> >> >> Greetings, >> >> >> Andreas >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393

Hi Andreas, Jesse, our IT contact, recommends that we just enable CORS for all of docs.oasis-open.org . That should eliminate the need for you to explicitly set them for your schemas. I'll let you know as soon as we have a final disposition. /chet On Mon, Aug 5, 2019 at 2:51 PM Andreas Kuehne < kuehne@trustable.de > wrote: Hi Chet, yes, I guess we need a CORS Header at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it could be absolutely possible that other files (XML schemes) could be accessed by a browser based application. Does OASIS has a policy for handling Cross-Site-Requests? We don't want to introduce an security holes or inconveniences for the administrators. Greetings, Andreas > Andreas, I don't fully understand your question. > > If it is whether or not you all can add a CORS header to some of your > files, then yes, certainly, you can do so. > > If it whether or not I can add a CORS header, then my question is 'what do > you need me to do and where do you need it done?' > > > > On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne < kuehne@trustable.de > wrote: > >> Hi Chet, >> >> >> yet another question: >> >> What's the OASIS policy on CORS header? I just came across this topic >> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >> >> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >> >> on >> >> https://editor.swagger.io >> >> fails without any hint. There should be some information for the user., >> but that's not our responsibility. After opening the browser I learned >> that the cause is a missing CORS header enabling the browser to access >> the DSS-X core spec in a cross-domain manner. >> >> Would it be possible to add the corresponding header? >> >> >> Greetings, >> >> >> Andreas >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393

Hi Chet, that look like a simple solution for us! Greetings, Andreas > Hi Andreas, > > Jesse, our IT contact, recommends that we just enable CORS for all of > docs.oasis-open.org. That should eliminate the need for you to explicitly > set them for your schemas. I'll let you know as soon as we have a final > disposition. > > /chet > > On Mon, Aug 5, 2019 at 2:51 PM Andreas Kuehne <kuehne@trustable.de> wrote: > >> Hi Chet, >> >> yes, I guess we need a CORS Header at least for the >> oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it >> could be absolutely possible that other files (XML schemes) could be >> accessed by a browser based application. Does OASIS has a policy for >> handling Cross-Site-Requests? We don't want to introduce an security >> holes or inconveniences for the administrators. >> >> Greetings, >> >> Andreas >>> Andreas, I don't fully understand your question. >>> >>> If it is whether or not you all can add a CORS header to some of your >>> files, then yes, certainly, you can do so. >>> >>> If it whether or not I can add a CORS header, then my question is 'what >> do >>> you need me to do and where do you need it done?' >>> >>> >>> >>> On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne <kuehne@trustable.de> >> wrote: >>>> Hi Chet, >>>> >>>> >>>> yet another question: >>>> >>>> What's the OASIS policy on CORS header? I just came across this topic >>>> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >>>> >>>> >>>> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >>>> on >>>> >>>> https://editor.swagger.io >>>> >>>> fails without any hint. There should be some information for the user., >>>> but that's not our responsibility. After opening the browser I learned >>>> that the cause is a missing CORS header enabling the browser to access >>>> the DSS-X core spec in a cross-domain manner. >>>> >>>> Would it be possible to add the corresponding header? >>>> >>>> >>>> Greetings, >>>> >>>> >>>> Andreas >>>> >>>> >>>> -- >>>> Andreas KÃhne >>>> >>>> Chair of OASIS DSS-X >>>> >>>> phone: +49 177 293 24 97 >>>> mailto: kuehne@trustable.de >>>> >>>> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >>>> Hannover Amtsgericht Hannover HRB 212612 >>>> >>>> Director Andreas KÃhne >>>> >>>> Company UK Company No: 5218868 Registered in England and Wales >>>> >>>> >>>> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales Attachment: smime.p7s Description: S/MIME Cryptographic Signature

TAB, question for you. Is anyone familiar with CORS (Cross-Origin Resource Sharing) headers? I have this question from Andreas, the chair of the DSS-X TC, about whether we have concerns with them adding a Cross-Origin Resource Sharing (CORS) header to DSS-X json schemas. DSS-X is the TC that has been using the free SwaggerHub account I set up to publish their APIs. The CORS mechanism uses HTTP headers to tell a browser to let a web application running at one domain access resources from a server at a different origin. Andreas says that they would like to add CORS headers to at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But since it could be possible that other files (XML schemes) could be accessed by a browser-based application, they'd probably want to add them to all the schemas. He kindly notes that they "don't want to introduce security holes or inconveniences for the administrators." Do any of you know if this poses any risks or if it should be OK? ---------- Forwarded message --------- From: Andreas Kuehne < kuehne@trustable.de > Date: Mon, Aug 5, 2019 at 2:51 PM Subject: Re: CORS settings on OASIS specs To: Chet Ensign < chet.ensign@oasis-open.org > Cc: dss-x < dss-x@lists.oasis-open.org >, Tobias Wich < tobias.wich@ecsec.de >, neil.crossley@ecsec.de >> 'Neil Crossley' < neil.crossley@ecsec.de > Hi Chet, yes, I guess we need a CORS Header at least for the oasis-dss-core-openapi.json and oasis-dss-metadata-openapi.json. But it could be absolutely possible that other files (XML schemes) could be accessed by a browser based application. Does OASIS has a policy for handling Cross-Site-Requests? We don't want to introduce an security holes or inconveniences for the administrators. Greetings, Andreas > Andreas, I don't fully understand your question. > > If it is whether or not you all can add a CORS header to some of your > files, then yes, certainly, you can do so. > > If it whether or not I can add a CORS header, then my question is 'what do > you need me to do and where do you need it done?' > > > > On Sun, Aug 4, 2019 at 9:22 AM Andreas Kuehne < kuehne@trustable.de > wrote: > >> Hi Chet, >> >> >> yet another question: >> >> What's the OASIS policy on CORS header? I just came across this topic >> when trying to open OAS-Spec od the DSS-X core 2.0 . The request to open >> >> >> https://docs.oasis-open.org/dss-x/dss-core/v2.0/cs01/schema/oasis-dss-core-openapi.json >> >> on >> >> https://editor.swagger.io >> >> fails without any hint. There should be some information for the user., >> but that's not our responsibility. After opening the browser I learned >> that the cause is a missing CORS header enabling the browser to access >> the DSS-X core spec in a cross-domain manner. >> >> Would it be possible to add the corresponding header? >> >> >> Greetings, >> >> >> Andreas >> >> >> -- >> Andreas KÃhne >> >> Chair of OASIS DSS-X >> >> phone: +49 177 293 24 97 >> mailto: kuehne@trustable.de >> >> Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 >> Hannover Amtsgericht Hannover HRB 212612 >> >> Director Andreas KÃhne >> >> Company UK Company No: 5218868 Registered in England and Wales >> >> >> -- Andreas KÃhne Chair of OASIS DSS-X phone: +49 177 293 24 97 mailto: kuehne@trustable.de Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 Director Andreas KÃhne Company UK Company No: 5218868 Registered in England and Wales -- /chet ---------------- Chet Ensign Chief Technical Community Steward OASIS: Advancing open standards for the information society http://www.oasis-open.org Mobile: +1 201-341-1393