<div dir="ltr"><div>Dear colleagues,</div><div><br></div><div>Together with XAdES experts, the Japanese SC34 mirror studied MS-</div><div>OFFCRYPTO. We believe that most of the quoted sentences are </div><div>not needed in OPC V2.</div><div><br></div><div>> 2.5.2.6 XAdES Elements</div><div>> </div><div>> XML Advanced Electronic Signatures [XAdES]</div><div>> extensions to xmldsig signatures MAY<32> be present</div><div>> in either binary or ECMA-376 documents [ECMA-376]</div><div>> when using xmldsig signatures. </div><div><br></div><div>This sentence explicitly allows the use of XAdES </div><div>in OPC. Something similar is needed in OPC V2.</div><div><br></div><div>>XAdES-EPES through</div><div>> XAdES-X-L extensions are specified within a</div><div>> signature. </div><div><br></div><div>We are going to allow every level and </div><div>recommend the use of A. So, this sentence </div><div>has to be changed.</div><div><br></div><div>>Unless otherwise specified, any optional</div><div>> elements as specified in [XAdES] are ignored. </div><div><br></div><div>This is harmful. Even if some element is optional, </div><div>it has to be treated as specified in [XAdES].</div><div><br></div><div>> The</div><div>> Object element containing the information as</div><div>> specified in [XAdES] has a number of optional</div><div>> elements, and many of the elements have more than</div><div>> one method specified.</div><div><br></div><div>This sentence is just a non-normative </div><div>description of what is specified in XAdES.</div><div>Delete it.</div><div> </div><div>>A document compliant with this</div><div>> file format uses the following options:</div><div>> </div><div>> - The SignedSignatureProperties element MUST contain</div><div>> a SigningCertificate property as specified in</div><div>> [XAdES] section 7.2.2.</div><div><br></div><div>> - A SigningTime element MUST be present as specified</div><div>> in [XAdES] section 7.2.1.</div><div><br></div><div>The second bullet is controversial. Some believe that it is optional,</div><div>while others believe that it is mandatory. I think that we </div><div>should simply reference XAdES without saying anything.</div><div> </div><div>> - A SignaturePolicyIdentifier element MUST be</div><div>> present as specified in [XAdES] section 7.2.3.</div><div><br></div><div>At present, a SignaturePolicyIdentifier element </div><div>containing no policies are created by MS Office. </div><div>Miyachi-san believes that this is a bad practice </div><div>and OPC V2 should discourage such SignaturePolicyIdentifier </div><div><br></div><div>> - If the information as specified in [XAdES]</div><div>> contains a time stamp as specified by the</div><div>> requirements for XAdES-T, the time stamp</div><div>> information MUST be specified as an</div><div>> EncapsulatedTimeStamp element containing DER</div><div>> encoded ASN.1. data.</div><div><br></div><div>We only have to state that timestamps (if any) </div><div>conform to RFC 3161.</div><div> </div><div>> - If the information as specified in [XAdES]</div><div>> contains references to validation data, the</div><div>> certificates used in the certificate chain, except</div><div>> for the signing certificate (1), MUST be contained</div><div>> within the CompleteCertificateRefs element as</div><div>> specified in [XAdES] section 7.4.1. In addition,</div><div>> for the signature to be considered a well-formed</div><div>> XAdES-C signature, a CompleteRevocationRefs</div><div>> element MUST be present, as specified in [XAdES]</div><div>> section 7.4.2.</div><div><br></div><div>This is merely a non-normative overview of C </div><div>as specified in XAdES. Delete it.</div><div> </div><div>> - If the information as specified in [XAdES]</div><div>> contains time stamps on references to validation</div><div>> data, the SigAndRefsTimestamp element as specified</div><div>> in [XAdES] section 7.5.1 and [XAdES] section</div><div>> 7.5.1.1 MUST be used. The SigAndRefsTimestamp</div><div>> element MUST specify the time stamp information as</div><div>> an EncapsulatedTimeStamp element containing DER</div><div>> encoded ASN.1. data.</div><div><br></div><div>This is merely a non-normative overview of X </div><div>as specified in XAdES. Delete it.</div><div> </div><div>> - If the information as specified in [XAdES]</div><div>> contains properties for data validation values,</div><div>> the CertificateValues and RevocationValues</div><div>> elements MUST be constructed as specified in</div><div>> [XAdES] section 7.6.1 and [XAdES] section</div><div>> 7.6.2. Except for the signing certificate (1), all</div><div>> certificates used in the validation chain MUST be</div><div>> entered into the CertificateValues element.</div><div><br></div><div>This is merely a non-normative overview of X-L</div><div>as specified in XAdES. Delete it.</div><div> </div><div>> There MUST be a Reference element specifying the</div><div>> digest of the SignedProperties element, as specified</div><div>> in [XAdES], section 6.2.1. A Reference element is</div><div>> placed in one of two parent elements, as specified</div><div>> in [XMLDSig]:</div><div>> </div><div>> - The SignedInfo element of the top-level Signature</div><div>> XML.</div><div>> </div><div>> - A Manifest element contained within an Object</div><div>> element.</div><div><br></div><div>The first and second bullets merely give nor-normative </div><div>descriptions of XAdES and DSig, respectively. Delete </div><div>them.</div><div><br></div><div>> A document compliant with this file format</div><div>> SHOULD<33> place the Reference element specifying</div><div>> the digest of the SignedProperties element within</div><div>> the SignedInfo element.</div><div><br></div><div>Again, this sentence is non-normative. Delete it.</div><div><br></div><div>> If the Reference element is</div><div>> instead placed in a Manifest element, the containing</div><div>> Object element MUST have an id attribute set "idXAdESReferenceObject".to</div><div><br></div><div>This sentence is needed if we would like to explicitly allow the use</div><div>of "idXAdESReferenceObject". But we have agreed not </div><div>to do so.</div><div><br></div><div class="gmail_extra"><br clear="all"><div>Regards,</div><div><br>Makoto</div>
</div></div>