XAdES Support and the Revised OPC [formerly "DR 11-0030: Proposal"]

Shawn Villaron shawnv at microsoft.com
Thu Jun 2 16:01:15 CEST 2016 

And I believe that this discussion indicates more investigation is necessary before we can commit to any particular course of action.  I’ll circle with Darrin and see what we can do from our side.

From: eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] On Behalf Of MURATA Makoto
Sent: Thursday, June 2, 2016 3:15 AM
To: SC34 <e-SC34-WG4 at ecma-international.org>
Subject: Re: XAdES Support and the Revised OPC [formerly "DR 11-0030: Proposal"]

I vaguely remember that Tracie said that Microsoft implements
most of the mandatory algorithms.   But Tracie left Microsoft.

BTW, I heard from my Japanese XAdES colleague that few of the
XAdES EN implementations support mandatory algorithms in
DSig 1.1.

Regards,
Makoto

2016-06-02 19:05 GMT+09:00 Francis Cave <francis at franciscave.com<mailto:francis at franciscave.com>>:
Murata-san

It is obviously preferable if we only have to reference the latest version of XML DSig. From a cursory glance at the specifications, the following paragraph appears to summarise the changes in XML DSig 1.1 that affect conformance:

“Conformance-affecting changes of XML Signature 1.1 against [the] previous recommendation mainly affect the set of mandatory to implement cryptographic algorithms, including Elliptic Curve DSA (and mark-up for corresponding key material), and additional hash algorithms. A detailed explanation of changes since the last Recommendation are available [XMLDSIG-CORE1-CHGS<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.w3.org%2fTR%2f2013%2fREC-xmldsig-core1-20130411%2f%23bib-XMLDSIG-CORE1-CHGS&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3IHKp2sqTeRypHJ2AVU9prjjgkHlMgWMNfhAR82nrhk%3d>]. Changes are also described in a diff document showing changes since the Second Edition<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.w3.org%2fTR%2f2013%2fREC-xmldsig-core1-20130411%2fOverview_diff_rec.html&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=0Zn%2bsUCiAlq0i736C0A%2fS33WxFSOJaqd3nR1fLTr0pU%3d>, as well as a diff document showing changes since the previous PR draft<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.w3.org%2fTR%2f2013%2fREC-xmldsig-core1-20130411%2fOverview_diff.html&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=CPtqgibMyv1c46AnNuY61%2f2vvUPubs5iqkJfl95YvAY%3d>.”

Since this is not my area of expertise, I’m not sure whether we have already adequately reviewed the changes in XML DSig 1.1. Does this need more discussion in Prague? I guess that we need the Ecma team to confirm that they agree that referencing XML DSig 1.1 and not the previous edition won’t break existing implementations.

Kind regards,

Francis



From: eb2mmrt at gmail.com<mailto:eb2mmrt at gmail.com> [mailto:eb2mmrt at gmail.com<mailto:eb2mmrt at gmail.com>] On Behalf Of MURATA Makoto
Sent: 02 June 2016 08:31
To: Francis Cave <francis at franciscave.com<mailto:francis at franciscave.com>>
Cc: SC34 <e-SC34-WG4 at ecma-international.org<mailto:e-SC34-WG4 at ecma-international.org>>
Subject: Re: XAdES Support and the Revised OPC [formerly "DR 11-0030: Proposal"]

Francis,

XML DSig 1.1 discourages or deprecates some features of DSig 1.0.
However, in my understanding, any digital signature conformant to
DSig 1.0 is also conformant to DSig 1.1.  I said so to Tracie in Barcelona.

I thus think that a normative ref to DSig 1.1 is good enough for
"allow for both DigSig 1.0 and 1.1 in the text".  If we normatively
reference DSig 1.0, we will recommend SHA-1.  I think that
we shouldn't.

Regards,
Makoto

2016-05-05 20:45 GMT+09:00 Francis Cave <francis at franciscave.com<mailto:francis at franciscave.com>>:
My recollection accords with the meeting minutes. As I understand it, there is a consensus that we normatively need to allow for both versions of DSig, so that existing implementations (such as MSOFFCRYPTO) are still conformant, but we can also recommend use of the XAdES EN in an informative annex. I presume that what Murata-san means is that we are committed to introduce text into the OPC revisions that is in line with that consensus.

Francis



From: Rex Jaeschke [mailto:rex at RexJaeschke.com<mailto:rex at RexJaeschke.com>]
Sent: 04 May 2016 20:03
To: 'SC34' <e-SC34-WG4 at ecma-international.org<mailto:e-SC34-WG4 at ecma-international.org>>
Subject: XAdES Support and the Revised OPC [formerly "DR 11-0030: Proposal"]

Hi there Murata-san,

Below, you wrote, “We are committed to the introduction of XAdES EN into the OPC revision.”

I’m asking for clarification of this statement, so it is not misunderstood. At a glance, it seems to be making a broader claim that I thought WG4 had agreed to.

From the Barcelona meeting minutes: “On Tuesday, in WG4 discussions: There was consensus that we should produce an informative annex describing a profile for XAdES appropriate for use with OPC, and allow for both DigSig 1.0 and 1.1 in the text.”

When this was agreed to, it was my understanding that there would *not* be any mandatory normative text re XAdES in the new OPC spec. Instead, the informative profile would give directions as to how an implementation could support XAdES, if it chose to do so. Specifically, a conforming implementation of the next edition of 29500-2 need *not* provide any support for XAdES at all.

Rex



From: eb2mmrt at gmail.com<mailto:eb2mmrt at gmail.com> [mailto:eb2mmrt at gmail.com] On Behalf Of MURATA Makoto
Sent: Saturday, April 30, 2016 10:41 AM
To: SC34 <e-SC34-WG4 at ecma-international.org<mailto:e-SC34-WG4 at ecma-international.org>>
Subject: DR 11-0030: Proposal

DR 11-0030 - OPC:  Obsolete version of W3C XML Digital Signature 1.0
https://skydrive.live.com/view.aspx/Public%20Documents/2011/DR-11-0030.docx?cid=c8ba0861dc5e4adc&sc=documents<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fskydrive.live.com%2fview.aspx%2fPublic%2520Documents%2f2011%2fDR-11-0030.docx%3fcid%3dc8ba0861dc5e4adc%26sc%3ddocuments&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=UUcpEtQBa0ZI0h6EkapdnpayPl95HI3iQ1W1K4lKoxs%3d>

This DR requests a change in the normative reference of Part 2 §3 from XMLDSig 1.0 (http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.w3.org%2fTR%2f2002%2fREC-xmldsig-core-20020212%2f&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Rghx4cXmTQxklEGXnVjC%2bIWq%2bBVls5luhfz4X4SyALQ%3d>) to XMLDSig 1.1 (http://www.w3.org/TR/xmldsig-core1/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.w3.org%2fTR%2fxmldsig-core1%2f&data=01%7c01%7cshawnv%40microsoft.com%7cbb6c001921a04da3a42808d38acedde6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2b5ybHVsZ7nRtOqBmcTCVubcIjGy9P7zA7YZlUxGwcq8%3d>).

We are committed to the introduction of XAdES EN into
the OPC revision.  XAdES EN uses XML DSig 1.1
rather than 1.0.  I thus believe that we cannot stick
to DSig 1.0.

Regards,
Makoto



--

Praying for the victims of the Japan Tohoku earthquake

Makoto



--

Praying for the victims of the Japan Tohoku earthquake

Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20160602/94878418/attachment-0001.html>

More information about the sc34wg4 mailing list