Japanese position on the introduction of XAdES to OPC.

MURATA Makoto eb2m-mrt at asahi-net.or.jp
Fri May 29 01:06:17 CEST 2015 

John,

2015-05-29 3:21 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:

>  Hello –
>
>
>
> > Even if we introduce the new version of XAdES as part of the revision
> of OPC, the extension points will continue to be available.
>
> Perhaps I misunderstood, then.  I thought the position was to effectively
> prohibit use of the current XAdES and only allow use of the new upcoming
> version.  Even discouraging use of the existing one in favor of the
> upcoming one seems a bit much in my mind.  As long as OPC gives guidance on
> which choices to make when implementing XAdES, that should suffice for
> interoperability and leave flexibility to implementers to choose what they
> support, however good or bad an idea it is – i.e., no signature, plain
> XMLDSig, current XAdES, upcoming XAdES.
>

Sure.  The upcoming OPC should not discourage the use of the existing XAdES.


>
>
> I may not be familiar enough with the details of the upcoming XAdES, but I
> think the small number of interop requirements that we might want to add to
> OPC apply equally to both the established and upcoming XAdES.  I think it
> can be done in a way that is agnostic to which edition of XAdES
> implementers choose.  I’m don’t think it’s quite right to think of a
> “Microsoft XAdES” as opposed to regular XAdES or XYZ Corp’s XAdES.  Our
> implementation is conformant XAdES and we simply publish a document
> containing information about the choices we made where XAdES allows
> flexibility so that others know what to expect in OOXML files generated by
> Office and what we didn’t implement support for in Office.
>

Having seen the latest draft and schemas of the upcoming XAdES, I strongly
think that we
need different sets of requirements on the upcoming XAdES and the existing
XAdES.
For example, namespaces are different.  The schema XAdESENv111.xsd for the
existing
version and that for the upcoming version are different.  The number of
conformance levels
are different.  The organization of the specs are different: for example,
level C (references
to validation data) are moved to the second part of the upcoming XAdES.

If we decide to implement one set of requirements for the upcoming XAdES
and
another for the existing XAdES, we will probably have to introduce
different sets
of relationships for the two XAdES.  They are for preserving seemingly
orphan
parts, which are referenced by XAdES by relative URIs.  If we do not allow
the use of the second part of the upcoming XAdES, we do not need such
relationships for the upcoming XAdES.  I am not completely sure but
I think that the URI attribute in Include element of the existing XAdES
requires such a relationship type.


>
> Given the above…
>
>
>
> > It means that a set of conventions on the use of the new version of
> XAdES will be established.  New applications based on the revised OPC will
> follow these conventions.
>
> I fully agree with the first sentence immediately above and think it
> applies to XAdES in general; or, slightly differently, to both the current
> and upcoming versions.  The second sentence could be taken to mean that use
> of the current XAdES is deprecated and implementations should use the
> upcoming one.  The upcoming one is so early in its life that I think this
> might be premature.  I may also be misinterpreting that second sentence and
> this isn’t what you intended.
>

Let me try again.  New applications implementing the upcoming version of
XAdES will follow these conventions.

>
>
> > Then, we will have two sets of conventions: Microsoft XAdES and the
> revised OPC.  They are unlikely to be identical.
>
> I think this is the crux of what we need to figure out in detail.  My
> impression is that XAdES hasn’t changed terribly in its markup details,
> which would allow OPC to make restricting statements that would apply
> equally to current and upcoming XAdES.  I may be wrong.  Though if the
> differences are minor, we may simply note something like: for TS 101 903:
> foo, and for EN 319 132: bar.  We have a proposed set of requirements based
> on TS 101 903 in a draft we looked at in Bellevue, very similar to both
> MS-OFFCRYPTO and ODF 1.2, which we could evaluate against the latest draft
> of EN 319 132 to get a better idea of this.
>

My impression is different.  Details of XAdES markup has changed a lot.

Perhaps, the best way to go forward is to begin with careful comparison of
the upcoming
XAdES and existing XAdES.   I will prepare something by the F2F.

Regards,
Makoto


>
> John
>
>
>
> *From:* eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] *On Behalf Of *MURATA
> Makoto
> *Sent:* Wednesday, May 27, 2015 7:29 PM
> *To:* John Haug
> *Cc:* e-SC34-WG4 at ecma-international.org
> *Subject:* Re: Japanese position on the introduction of XAdES to OPC.
>
>
>
> John,
>
>
>
> I am afraid that I was not clear.  OPC as of now already provides
> extension points.
>
> They allow third parties to introduce legitimate extensions.  Microsoft
> XAdES is
>
> such a legitimate extension.
>
>
>
> Even if we introduce the new version of XAdES as part of the revision of
> OPC,
>
> the extension points will continue to be available.  Thus, Microsoft XAdES
>
> will continue to be a legitimate extension of OPC.   Implementations of
> such extensions will continue to  be conformant.  Backward compatibility
> will not be destroyed.
>
> Then, what does it mean to incorporate the new version of XAdES into
> the revision of OPC?   It means that a set of conventions on the use of
>
> the new version of XAdES will be established.  New applications
>
> based on the revised OPC will follow these conventions.
>
>
>
> If we incorporate the existing version of XAdES into the revision of
>
> OPC, we will establish a set of conventions on the use of
>
> the existing version of XAdES.  Then, we will have two
>
> sets of conventions: Microsoft XAdES and the revised OPC.  They
>
> are unlikely to be identical.  If they diverge, we will cause a lot
>
> of troubles to users and implementations.  I thus think that
>
> not incorporating the existing version of XAdES into the
>
> revised OPC is the best way to provide backward compatibility.
>
>
>
> Perhaps, one solution is to provide an informative note about
>
> the use of the existing XAdES in the OPC revision.  The note
>
> should say that such use IS conformant.
>
>
>
> Regards,
>
> Makoto
>
>
>
>
>
>
>
>
>
>
>
>
>
> 2015-05-28 8:19 GMT+09:00 John Haug <johnhaug at exchange.microsoft.com>:
>
>  I suspect my position on this would be easily guessed, but I strongly
> disfavor updating OPC in a way that breaks backward compatibility.  Even
> putting aside my Microsoft hat representing the single largest installed
> base of implementations of OPC, whether that be Office or XPS (both the
> .xps file format and Windows print spool format which implement ECMA-388,
> which incorporates OPC by reference) or .NET Framework
> (System.IO.Packaging) or Windows Presentation Framework/XAML – and there
> are other implementers – I’d have to argue the point that where software
> has adopted digital signatures based on XMLDSig and gone further, the
> existing XAdES specifications are what has been adopted.  We’d do a
> disservice to current implementers and to users of many current documents
> to create a discontinuity in compatibility.
>
>
>
> I believe we are getting too far down into the details of whatever work
> ETSI is doing now or may do in the future to revise XAdES.  There is risk I
> feel is inappropriate to take on in requiring use of a new,
> unpublished/unapproved proposed standard that has no adoption by industry
> while ignoring one that does have at least some industry adoption.
> Regardless of considering which version to require, I don’t believe we need
> to or should mandate one version or another – let implementers decide what
> level of security they need for their application.  I assert that our
> interest from the perspective of 29500 is to provide requirements that
> improve interoperability among implementations of OPC that use XMLDSig and
> XAdES.  And I still believe we can do that with simple statements like
> we’ve looked at before, ones that just require this choice or that where
> XAdES provides options or leaves something as implementation-specific.
> Both the new and existing versions of XAdES are backward-compatible
> extensions of XMLDSig, the fundamental underlying technology the use of
> which is an important choice to make for the standard, so the previous
> sentence should hold.
>
>
>
> > As you know, Japanese XAdES experts are unhappy with the MS
>  implementation.
>
> I think this is in reference to Office writing out
> SignaturePolicyIdentifier elements that are empty or use
> SignaturePolicyImplied.  Whether to allow that (which is legal XAdES) is a
> question we can take up along with the context of other related standards
> and implementations (e.g., ODF and MS-OFFCRYPTO make no statement on these
> elements).  Chris and I can raise those concerns with the development team
> here, but let’s leave any individual concerns with Office’s particular
> implementation choices separate from what we choose to specify in the
> standard.
>
>
>
> John
>
>
>
> *From:* eb2mmrt at gmail.com [mailto:eb2mmrt at gmail.com] *On Behalf Of *MURATA
> Makoto
> *Sent:* Tuesday, May 26, 2015 8:02 PM
> *To:* SC34
> *Subject:* Japanese position on the introduction of XAdES to OPC.
>
>
>
> Dear colleagues,
>
>
>
> This mail is to describe the Japanese position on the
>
> introduction of XAdES to OPC.  Japan believes that the
>
> ongoing revision of OPC (Open Packaging Conventions)
>
> should use the first part of the new version of XAdES and
>
> nothing else.
>
>
>
> As we have discussed, there are two versions of XAdES.  An existing
>
> version of XAdES is documented in ETSI technical specifications, while
>
> a new and incompatible version is expected to become ENs (European
>
> Standards) in one year.
>
>
>
> The first version is already implemented by Microsoft Office.
>
> This means that, if we introduce this version of XAdES to OPC
>
> as a standard, we will run the risk of making the current implementation
>
> by Microsoft non-conformant.  As you know, Japanese XAdES
>
> experts are unhappy with the MS  implementation.
>
>
>
> The latest version of XAdES consists of two specifications.
>
> Apparently, Europe is committed to the first part.  The second part
>
> appears to be an alibi for not abandoning some
>
> features of the old version.
>
>
>
> Moreover, the first part does not use any external files.  But the
>
> second does.  This means that if such external files exist in an OPC
>
> package, they look like orphans and will be thrown away by many
>
> implementations including MS Office.  To avoid this problem, we will
>
> have to introduce relationship types.   Japan does not think that the
>
> second part has advantages significant enough for this additional effort.
>
>
>
>
>
>
>
> Regards,
>
> Makoto
>
>
>
>
>
>
>
> --
>
>
> Praying for the victims of the Japan Tohoku earthquake
>
> Makoto
>



-- 

Praying for the victims of the Japan Tohoku earthquake

Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20150529/c322331a/attachment-0001.html>

More information about the sc34wg4 mailing list