Japanese position on the introduction of XAdES to OPC.
MURATA Makoto
eb2m-mrt at asahi-net.or.jp
Thu May 28 04:28:34 CEST 2015
John,
I am afraid that I was not clear. OPC as of now already provides extension
points.
They allow third parties to introduce legitimate extensions. Microsoft
XAdES is
such a legitimate extension.
Even if we introduce the new version of XAdES as part of the revision of
OPC,
the extension points will continue to be available. Thus, Microsoft XAdES
will continue to be a legitimate extension of OPC. Implementations of
such extensions will continue to be conformant. Backward compatibility
will not be destroyed.
Then, what does it mean to incorporate the new version of XAdES into
the revision of OPC? It means that a set of conventions on the use of
the new version of XAdES will be established. New applications
based on the revised OPC will follow these conventions.
If we incorporate the existing version of XAdES into the revision of
OPC, we will establish a set of conventions on the use of
the existing version of XAdES. Then, we will have two
sets of conventions: Microsoft XAdES and the revised OPC. They
are unlikely to be identical. If they diverge, we will cause a lot
of troubles to users and implementations. I thus think that
not incorporating the existing version of XAdES into the
revised OPC is the best way to provide backward compatibility.
Perhaps, one solution is to provide an informative note about
the use of the existing XAdES in the OPC revision. The note
should say that such use IS conformant.
Regards,
Makoto
2015-05-28 8:19 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:
> I suspect my position on this would be easily guessed, but I strongly
> disfavor updating OPC in a way that breaks backward compatibility. Even
> putting aside my Microsoft hat representing the single largest installed
> base of implementations of OPC, whether that be Office or XPS (both the
> .xps file format and Windows print spool format which implement ECMA-388,
> which incorporates OPC by reference) or .NET Framework
> (System.IO.Packaging) or Windows Presentation Framework/XAML – and there
> are other implementers – I’d have to argue the point that where software
> has adopted digital signatures based on XMLDSig and gone further, the
> existing XAdES specifications are what has been adopted. We’d do a
> disservice to current implementers and to users of many current documents
> to create a discontinuity in compatibility.
>
>
>
> I believe we are getting too far down into the details of whatever work
> ETSI is doing now or may do in the future to revise XAdES. There is risk I
> feel is inappropriate to take on in requiring use of a new,
> unpublished/unapproved proposed standard that has no adoption by industry
> while ignoring one that does have at least some industry adoption.
> Regardless of considering which version to require, I don’t believe we need
> to or should mandate one version or another – let implementers decide what
> level of security they need for their application. I assert that our
> interest from the perspective of 29500 is to provide requirements that
> improve interoperability among implementations of OPC that use XMLDSig and
> XAdES. And I still believe we can do that with simple statements like
> we’ve looked at before, ones that just require this choice or that where
> XAdES provides options or leaves something as implementation-specific.
> Both the new and existing versions of XAdES are backward-compatible
> extensions of XMLDSig, the fundamental underlying technology the use of
> which is an important choice to make for the standard, so the previous
> sentence should hold.
>
>
>
> > As you know, Japanese XAdES experts are unhappy with the MS
> implementation.
>
> I think this is in reference to Office writing out
> SignaturePolicyIdentifier elements that are empty or use
> SignaturePolicyImplied. Whether to allow that (which is legal XAdES) is a
> question we can take up along with the context of other related standards
> and implementations (e.g., ODF and MS-OFFCRYPTO make no statement on these
> elements). Chris and I can raise those concerns with the development team
> here, but let’s leave any individual concerns with Office’s particular
> implementation choices separate from what we choose to specify in the
> standard.
>
>
>
> John
>
>
>
> *From:* eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] *On Behalf Of *MURATA
> Makoto
> *Sent:* Tuesday, May 26, 2015 8:02 PM
> *To:* SC34
> *Subject:* Japanese position on the introduction of XAdES to OPC.
>
>
>
> Dear colleagues,
>
>
>
> This mail is to describe the Japanese position on the
>
> introduction of XAdES to OPC. Japan believes that the
>
> ongoing revision of OPC (Open Packaging Conventions)
>
> should use the first part of the new version of XAdES and
>
> nothing else.
>
>
>
> As we have discussed, there are two versions of XAdES. An existing
>
> version of XAdES is documented in ETSI technical specifications, while
>
> a new and incompatible version is expected to become ENs (European
>
> Standards) in one year.
>
>
>
> The first version is already implemented by Microsoft Office.
>
> This means that, if we introduce this version of XAdES to OPC
>
> as a standard, we will run the risk of making the current implementation
>
> by Microsoft non-conformant. As you know, Japanese XAdES
>
> experts are unhappy with the MS implementation.
>
>
>
> The latest version of XAdES consists of two specifications.
>
> Apparently, Europe is committed to the first part. The second part
>
> appears to be an alibi for not abandoning some
>
> features of the old version.
>
>
>
> Moreover, the first part does not use any external files. But the
>
> second does. This means that if such external files exist in an OPC
>
> package, they look like orphans and will be thrown away by many
>
> implementations including MS Office. To avoid this problem, we will
>
> have to introduce relationship types. Japan does not think that the
>
> second part has advantages significant enough for this additional effort.
>
>
>
>
>
>
>
> Regards,
>
> Makoto
>
>
>
--
Praying for the victims of the Japan Tohoku earthquake
Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20150528/06296c64/attachment-0001.html>
More information about the sc34wg4
mailing list