<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:64835971;
mso-list-template-ids:-1315789634;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1712921780;
mso-list-template-ids:-1623292522;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I nearly forgot, I compared the XAdES-specific requirements in MS-OFFCRYPTO and those we looked at last year in ODF (ODF 1.2 Part 3, section 5.3). Here is what
I found.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">SignedSignatureProperties > SigningCertificate -- in BOTH<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">SigningTime – “should” in ODF, “MUST” in OFFCRYPTO<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">EncapsulatedTimeStamp (DER-encoded ASN.1) -- in BOTH<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">CompleteCertificateRefs/CompleteRevocationRefs -- in OFFCRYPTO only<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">SigAndRefsTimestamp for refs to validation data -- in BOTH<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">CertificateValues/RevocationValues -- in OFFCRYPTO only<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Reference element for digest of SignedProperties<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-- ODF: child of SignedInfo<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-- OFFCRYPTO: child of SignedInfo (preferred) or Object > Manifest (with id=”idXAdESReferenceObject”)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">They’re pretty similar, MS-OFFCRYPTO has slightly tighter requirements. So, no notable differences between the two that we would need to research. The XAdES
requirements we’ll want to add to Part 2 look fairly well known to the industry.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> John Haug [mailto:johnhaug@exchange.microsoft.com]
<br>
<b>Sent:</b> Thursday, January 15, 2015 12:05 PM<br>
<b>To:</b> MURATA, Makoto (eb2m-mrt@asahi-net.or.jp); SC34<br>
<b>Subject:</b> RE: XAdES elements in OFF-CRYPTO of Microsoft<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Do you know what the basis is for thinking –C and –X are mandatory? I assume he’s looking at the 5<sup>th</sup> and 6<sup>th</sup> bullets under 2.5.2.6 in MS-OFFCRYPTO.
I read these as conditionals – if you use validation data, then you must do it this way.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">(1) Are there alternate ways to specify references to validation data other than as specified in XAdES 7.4 (and 4.4/4.4.3, which say signatures with validation
data are –T and –C.)? If so, the 5<sup>th</sup> bullet is just requiring one way where a choice exists. If not and XAdES-C is the only way, the 5<sup>th</sup> bullet seems to just restate what XAdES-C requires. I don’t see other ways and I might read that
bullet as precluding use of XAdES-T, which I’m sure is the wrong interpretation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">(2) Are there alternate ways to specify time stamps on references to validation data? It seems so: SigAndRefsTimeStamp and RefsOnlyTimeStamp. In this case,
MS-OFFCRYPTO appears to be simply requiring the use of one method where an option exists for implementers. The mandate here appears to be use of XAdES-X type 1 and not XAdES type 2 if you use XAdES-X.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Furthemore, as agreed in Kyoto, we should allow EPES/BES, T, X-L, and A.<br>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Yes. As reference for today’s call, here are my relevant notes from our discussion and decisions at the Kyoto meeting.<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:middle"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">What to specify<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Anything re: grace period? NO - for implementers, not for file format.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Which parts/relationships must/must not be signed? Part 2 does not currently say anything to this effect. NO - for implementers, based on user scenario.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Additional restrictions a la ODF? (for interoperability) NEEDS RESEARCH<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Other restrictions? (disallow less useful levels?)</span>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span>
<ul style="margin-top:0in" type="circle">
<li class="MsoNormal" style="color:black;mso-list:l0 level2 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">e.g., BES/EPES plus ISO profile<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level2 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Don't mandate/prohibit, give guidance - normative SHOULD or informative NOTE<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Does OPC require signing a relationship that targets a part that is signed? Don't think so (relationships can be signed, but not required). Should this be mandated? NO.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">RenewedDigests - mention this?</span>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span>
<ul style="margin-top:0in" type="circle">
<li class="MsoNormal" style="color:black;mso-list:l0 level2 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Can reference new ETSI std once published (expected within the next year)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level2 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Should only contain this addition since 1.4.2 (minor bug fixes from 1.4.1)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level2 lfo3;vertical-align:middle">
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Double-check for any changes, including namespace (all existing features should be in old namespaces, only new features in new ones)<o:p></o:p></span></li></ul>
</li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<a href="mailto:eb2mmrt@gmail.com">eb2mmrt@gmail.com</a> [<a href="mailto:eb2mmrt@gmail.com">mailto:eb2mmrt@gmail.com</a>]
<b>On Behalf Of </b>MURATA Makoto<br>
<b>Sent:</b> Thursday, January 15, 2015 5:20 AM<br>
<b>To:</b> SC34<br>
<b>Subject:</b> Re: XAdES elements in OFF-CRYPTO of Microsoft<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Miyachi-san believes that the quoted paragraphs <br>
allow five leveles of XAdES (EPES, T, C, X, X-L)<br>
and mandate C and X. He thinks <br>
that tjhey should be optional.<br>
<br>
Furthemore, as agreed in Kyoto, we should allow <br>
EPES/BES, T, X-L, and A.<br>
<br>
Regards,<br>
Makoto<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2014-12-27 18:21 GMT+09:00 MURATA Makoto <<a href="mailto:eb2m-mrt@asahi-net.or.jp" target="_blank">eb2m-mrt@asahi-net.or.jp</a>>:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Dear colleagues,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We have already agreed not to introduce <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">SignatureInfoV1. The rest of XAdES elements <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">in OFF-CRYPTO is described in the following <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">subsection. We probably have to tweak this <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">subsection since we would like to allow all <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">conformance levels of XAdES.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Makoto<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
2.5.2.6 XAdES Elements<br>
<br>
XML Advanced Electronic Signatures [XAdES]<br>
extensions to xmldsig signatures MAY<32> be present<br>
in either binary or ECMA-376 documents [ECMA-376]<br>
when using xmldsig signatures. XAdES-EPES through<br>
XAdES-X-L extensions are specified within a<br>
signature. Unless otherwise specified, any optional<br>
elements as specified in [XAdES] are ignored. The<br>
Object element containing the information as<br>
specified in [XAdES] has a number of optional<br>
elements, and many of the elements have more than<br>
one method specified. A document compliant with this<br>
file format uses the following options:<br>
<br>
- The SignedSignatureProperties element MUST contain<br>
a SigningCertificate property as specified in<br>
[XAdES] section 7.2.2.<br>
<br>
- A SigningTime element MUST be present as specified<br>
in [XAdES] section 7.2.1.<br>
<br>
- A SignaturePolicyIdentifier element MUST be<br>
present as specified in [XAdES] section 7.2.3.<br>
<br>
- If the information as specified in [XAdES]<br>
contains a time stamp as specified by the<br>
requirements for XAdES-T, the time stamp<br>
information MUST be specified as an<br>
EncapsulatedTimeStamp element containing DER<br>
encoded ASN.1. data.<br>
<br>
- If the information as specified in [XAdES]<br>
contains references to validation data, the<br>
certificates used in the certificate chain, except<br>
for the signing certificate (1), MUST be contained<br>
within the CompleteCertificateRefs element as<br>
specified in [XAdES] section 7.4.1. In addition,<br>
for the signature to be considered a well-formed<br>
XAdES-C signature, a CompleteRevocationRefs<br>
element MUST be present, as specified in [XAdES]<br>
section 7.4.2.<br>
<br>
- If the information as specified in [XAdES]<br>
contains time stamps on references to validation<br>
data, the SigAndRefsTimestamp element as specified<br>
in [XAdES] section 7.5.1 and [XAdES] section<br>
7.5.1.1 MUST be used. The SigAndRefsTimestamp<br>
element MUST specify the time stamp information as<br>
an EncapsulatedTimeStamp element containing DER<br>
encoded ASN.1. data.<br>
<br>
- If the information as specified in [XAdES]<br>
contains properties for data validation values,<br>
the CertificateValues and RevocationValues<br>
elements MUST be constructed as specified in<br>
[XAdES] section 7.6.1 and [XAdES] section<br>
7.6.2. Except for the signing certificate (1), all<br>
certificates used in the validation chain MUST be<br>
entered into the CertificateValues element.<br>
<br>
There MUST be a Reference element specifying the<br>
digest of the SignedProperties element, as specified<br>
in [XAdES], section 6.2.1. A Reference element is<br>
placed in one of two parent elements, as specified<br>
in [XMLDSig]:<br>
<br>
- The SignedInfo element of the top-level Signature<br>
XML.<br>
<br>
- A Manifest element contained within an Object<br>
element.<br>
<br>
A document compliant with this file format<br>
SHOULD<33> place the Reference element specifying<br>
the digest of the SignedProperties element within<br>
the SignedInfo element. If the Reference element is<br>
instead placed in a Manifest element, the containing<br>
Object element MUST have an id attribute set to<br>
"idXAdESReferenceObject".<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
Praying for the victims of the Japan Tohoku earthquake<br>
<br>
Makoto<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>