Japanese position on the introduction of XAdES to OPC.

Sat Jun 6 00:34:39 CEST 2015

John,

2015-06-06 7:14 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:

>  It would be handy to have a set of OOXML files with various levels of
> XAdES signatures…
>
>
>

Agreed.  But JNSA is not sure if making the existing XAdES as a first-class
citizen
(i.e., conformance without relying on extension points) rather than a
second-class
citizen (i.e., conformance bases on extension points) has enough advantages
for
justifying the cost for preparing such a set of OOXML files and studying
the
behaviour of MS Office.   After all, EU will not care the existing XAdES.
It will care
the upcoming XAdES, which is backed by eIDAS.

>  > However, JNSA experts believe that MS Office reports such signatures
> as errors.
>
> That may be, I don’t know – I have no files to test or check with the
> security team.
>
> > disallow this behaviour thus making MS Office non-conformant
>
> Not so much non-conformant as simply not supporting a particular level,
> no?  I don’t think there is a requirement to support all levels of XAdES.
>
>
>

XAdES-X-L without references to validation data and that with references to
validation data are both
XAdES-X-L.  If you support XAdES-X-L, you have to handle both of them
correctly.

>  I’m not sure what Office does with a -A signature – I’ve never seen a
> file with one.  I *suspect* anytime it runs into a signature it can’t parse
> (either due to an error in the signature markup or finding markup it
> doesn’t understand), it warns the user that the signature is invalid.
>

Regards,
Makoto

>
> John
>
>
>
> *From:* eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] *On Behalf Of *MURATA
> Makoto
> *Sent:* Friday, June 5, 2015 2:48 PM
> *To:* e-SC34-WG4 at ecma-international.org
>
> *Subject:* Re: Japanese position on the introduction of XAdES to OPC.
>
>
>
> Please look at the page "State transitions of the XAdES profiles" in
>
> Lecture_on_XAdES_20140923.pdf in WG4 N 289 (in 2014).  It was used in
>
> Kyoto.
>
>
>
>
> http://isotc.iso.org/livelink/livelink?func=ll&objId=16821707&objAction=Open
>
>
>
> It clearly shows that XAdES-X-L (and XAdES-A) can be created from
>
> XAdES-T.  It is not required to create XAdES-C before creating
>
> XAdES-X-L.  In other words, XAdES-X-L signatures WITHOUT REFERENCES TO
>
> VALIDATION DATA are perfectly legitimate XAdES signatures.  However,
>
> JNSA experts believe that MS Office reports such signatures as errors.
>
> If the upcoming revision explicitly allows the use of the current
>
> version of XAdES, it will disallow this behaviour thus making MS
>
> Office non-conformant.
>
>
>
> I understand why this misinterpretation happened.  The existing XAdES
>
> specifications are extremely unclear about the relationship of
>
> conformance levels.  However, those who are involved in XAdES
>
> implementations (and interoperability testing) agree that XAdES-X-L
>
> signatures without references to validation data are perfectly
>
> legitimate.
>
>
>
> You wrote: "I believe Microsoft Office supports all except -A."
>
> What does Microsoft Office do when it receives XAdES-A?  Does
>
> it report an error?
>
>
>
> Regards,
>
> Makoto
>
>
>
> 2015-06-06 5:39 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:
>
>  I had to dig back through old mail with the security folks who worked on
> this years ago.  If this is related to the question about “validation data”
> and MS-OFFCRYPTO seemingly requiring –C and disallowing –T, I’m told that’s
> not the intent.  OPC should allow whatever XAdES levels it defines;
> applications can choose whether to support various levels based on their
> needs and industry adoption.  I believe Microsoft Office supports all
> except -A.
>
>
>
> John
>
>
>
> *From:* eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] *On Behalf Of *MURATA
> Makoto
> *Sent:* Saturday, May 30, 2015 1:48 AM
> *To:* John Haug
> *Cc:* e-SC34-WG4 at ecma-international.org
> *Subject:* Re: Japanese position on the introduction of XAdES to OPC.
>
>
>
>
>
>
>
> 2015-05-29 3:21 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:
>
>  > Then, we will have two sets of conventions: Microsoft XAdES and the
> revised OPC.  They are unlikely to be identical.
>
> I think this is the crux of what we need to figure out in detail.  My
> impression is that XAdES hasn’t changed terribly in its markup details,
> which would allow OPC to make restricting statements that would apply
> equally to current and upcoming XAdES.  I may be wrong.  Though if the
> differences are minor, we may simply note something like: for TS 101 903:
> foo, and for EN 319 132: bar.  We have a proposed set of requirements based
> on TS 101 903 in a draft we looked at in Bellevue, very similar to both
> MS-OFFCRYPTO and ODF 1.2, which we could evaluate against the latest draft
> of EN 319 132 to get a better idea of this.
>
>
>
> The conventions on the use of the current XAdES, if standardized
>
> as part of the OPC revision, would allow XAdES-A as well as -L/-X-L
> without
>
> -C.   (This is the right thing to do.)  But how does  Microsoft Office as
> of now
>
>  handle them?
>
>
>
> JNSA experts believe that Microsoft Office cannot handle -L/-X-L without
> -C.
>
> In other words, standardizing the conventions on the use of the
>
> current XAdES may make Microsoft Office non-conformant.
>
>
>
> Regards,
>
> Makoto
>
>
>
>
>
>
>
>
>
>
>
> --
>
>
> Praying for the victims of the Japan Tohoku earthquake
>
> Makoto
>

-- 

Praying for the victims of the Japan Tohoku earthquake

Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20150606/c224f96d/attachment.html>