<div dir="ltr">John,<div><br></div><div>I am afraid that I was not clear. OPC as of now already provides extension points. </div><div>They allow third parties to introduce legitimate extensions. Microsoft XAdES is </div><div>such a legitimate extension.</div><div><br></div><div>Even if we introduce the new version of XAdES as part of the revision of OPC, </div><div>the extension points will continue to be available. Thus, Microsoft XAdES </div><div>will continue to be a legitimate extension of OPC. Implementations of <br>such extensions will continue to be conformant. Backward compatibility<br>will not be destroyed.<br><br>Then, what does it mean to incorporate the new version of XAdES into <br>the revision of OPC? It means that a set of conventions on the use of </div><div>the new version of XAdES will be established. New applications </div><div>based on the revised OPC will follow these conventions.</div><div><br></div><div>If we incorporate the existing version of XAdES into the revision of </div><div>OPC, we will establish a set of conventions on the use of </div><div>the existing version of XAdES. Then, we will have two </div><div>sets of conventions: Microsoft XAdES and the revised OPC. They </div><div>are unlikely to be identical. If they diverge, we will cause a lot </div><div>of troubles to users and implementations. I thus think that </div><div>not incorporating the existing version of XAdES into the </div><div>revised OPC is the best way to provide backward compatibility.</div><div><br></div><div>Perhaps, one solution is to provide an informative note about </div><div>the use of the existing XAdES in the OPC revision. The note </div><div>should say that such use IS conformant.</div><div><br></div><div>Regards,</div><div>Makoto</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-28 8:19 GMT+09:00 John Haug <span dir="ltr"><<a href="mailto:johnhaug@exchange.microsoft.com" target="_blank">johnhaug@exchange.microsoft.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I suspect my position on this would be easily guessed, but I strongly disfavor updating OPC in a way that breaks backward compatibility. Even putting aside my
Microsoft hat representing the single largest installed base of implementations of OPC, whether that be Office or XPS (both the .xps file format and Windows print spool format which implement ECMA-388, which incorporates OPC by reference) or .NET Framework
(System.IO.Packaging) or Windows Presentation Framework/XAML – and there are other implementers – I’d have to argue the point that where software has adopted digital signatures based on XMLDSig and gone further, the existing XAdES specifications are what has
been adopted. We’d do a disservice to current implementers and to users of many current documents to create a discontinuity in compatibility.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I believe we are getting too far down into the details of whatever work ETSI is doing now or may do in the future to revise XAdES. There is risk I feel is inappropriate
to take on in requiring use of a new, unpublished/unapproved proposed standard that has no adoption by industry while ignoring one that does have at least some industry adoption. Regardless of considering which version to require, I don’t believe we need
to or should mandate one version or another – let implementers decide what level of security they need for their application. I assert that our interest from the perspective of 29500 is to provide requirements that improve interoperability among implementations
of OPC that use XMLDSig and XAdES. And I still believe we can do that with simple statements like we’ve looked at before, ones that just require this choice or that where XAdES provides options or leaves something as implementation-specific. Both the new
and existing versions of XAdES are backward-compatible extensions of XMLDSig, the fundamental underlying technology the use of which is an important choice to make for the standard, so the previous sentence should hold.<u></u><u></u></span></p><span class="">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">>
</span>As you know, Japanese XAdES experts are unhappy with the MS implementation.<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I think this is in reference to Office writing out SignaturePolicyIdentifier elements that are empty or use SignaturePolicyImplied. Whether to allow that (which
is legal XAdES) is a question we can take up along with the context of other related standards and implementations (e.g., ODF and MS-OFFCRYPTO make no statement on these elements). Chris and I can raise those concerns with the development team here, but let’s
leave any individual concerns with Office’s particular implementation choices separate from what we choose to specify in the standard.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">John<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a href="mailto:eb2mmrt@gmail.com" target="_blank">eb2mmrt@gmail.com</a> [mailto:<a href="mailto:eb2mmrt@gmail.com" target="_blank">eb2mmrt@gmail.com</a>]
<b>On Behalf Of </b>MURATA Makoto<br>
<b>Sent:</b> Tuesday, May 26, 2015 8:02 PM<br>
<b>To:</b> SC34<br>
<b>Subject:</b> Japanese position on the introduction of XAdES to OPC.<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal">Dear colleagues,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This mail is to describe the Japanese position on the <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">introduction of XAdES to OPC. Japan believes that the <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">ongoing revision of OPC (Open Packaging Conventions) <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">should use the first part of the new version of XAdES and<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">nothing else.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">As we have discussed, there are two versions of XAdES. An existing<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">version of XAdES is documented in ETSI technical specifications, while<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">a new and incompatible version is expected to become ENs (European<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Standards) in one year.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The first version is already implemented by Microsoft Office. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">This means that, if we introduce this version of XAdES to OPC <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">as a standard, we will run the risk of making the current implementation<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">by Microsoft non-conformant. As you know, Japanese XAdES <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">experts are unhappy with the MS implementation.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The latest version of XAdES consists of two specifications.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Apparently, Europe is committed to the first part. The second part <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">appears to be an alibi for not abandoning some<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">features of the old version.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Moreover, the first part does not use any external files. But the<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">second does. This means that if such external files exist in an OPC<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">package, they look like orphans and will be thrown away by many<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">implementations including MS Office. To avoid this problem, we will<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">have to introduce relationship types. Japan does not think that the <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">second part has advantages significant enough for this additional effort.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Regards,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Makoto<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><br>Praying for the victims of the Japan Tohoku earthquake<br><br>Makoto</div>
</div>