Either DSig 1.1 or DSig 1.1/1.0

MURATA Makoto eb2m-mrt at asahi-net.or.jp
Sun Oct 23 23:26:02 CEST 2016 

I forgot to mention schema issues.  My conclusion is
that (1) and (2) actually provides no schema differences.


DSig 1.0 uses xmldsig-core-schema.xsd.

DSig .1 uses xmldsig11-schema.xsd, which
imports xmldsig-core-schema.xsd.

Thus, both (1) and (2) need xmldsig-core-schema.xsd
and xmldsig-core-schema.xsd.

Regards,
Makoto



2016-10-23 21:08 GMT+09:00 MURATA Makoto <eb2m-mrt at asahi-net.or.jp>:

> We have to decide what OPC V2 should reference
> as the definition of XML digital signatures.  (1) DSig 1.1,
> or (2) DSig 1.0 (second edition) as well as DSig 1.1?
>
> 1. Data conformance
>
> I believe that signatures conformant to DSig 1.0 are
> guranteed to conform to DSig 1.1.  If this is the
> case, (1) is good enough.
>
> But (2) is not harmful.  A digital signature is
> required to conform to either DSig 1.0 or DSig 1.1.
>
> 2. Conformance of signature generators
>
> Since generators are not required to use every
> feature of XML DSig, generators restricted to DSig
> 1.0 conform to DSig 1.1.  Thus, I believe that (1) is
> good enough.
>
> But if we choose (2), what should be the requirements
> on generators?
>
> Status quo is shown below:
>
>     > 13.4 Generating Signatures
>     >
>     > The steps for signing package contents follow
>     > the algorithm outlined in §3.1 of the W3C
>     > Recommendation “XMLSignature Syntax and
>     > Processing,” with some modification for
>     > package-specific constructs...
>
> Here is a rewrite based on (2).
>
>     > 13.4 Generating Signatures
>     >
>     > The steps for signing package contents follow
>     > the algorithm outlined in §3.1 of the W3C
>     > Recommendation “XMLSignature Syntax and
>     > Processing 1.0 (second edition)”or “XML Signature
>     > Syntax and Processing Version 1.1,” with some modification for
>     > package-specific constructs...
>
> I do not see any advantages, but I do not see any
> disadvantages either.
>
> 3. Conformance of signature validators
>
> One could argue that (2) provides some advantages,
> since some new algorithms in DSig 1.1 are made
> mandatory.  We might want to allow legacy validators
> restricted to 1.0 while encouraging validators to support
> 1.1.
>
> Status quo is shown below:
>
>     > 13.5 Validating Signatures
>     >
>     > Consumers validate signatures following the
>     > steps described in §3.2 of the W3C
>     > Recommendation “XMLSignature Syntax and
>     > Processing.”...
>
> Here is a rewrite based on (2).
>
>     > 13.5 Validating Signatures
>     >
>     > Consumers are required to validate signatures
>     > following the steps described in §3.2 of
>     > either “XMLSignature Syntax and Processing 1.0
>     > (second edition)”or “XML Signature Syntax and
>     > Processing Version 1.1”.  Consumers should support
>     > “XML Signature Syntax and Processing Version 1.1”
>     > but may support “XMLSignature Syntax and Processing 1.0
>     > (second edition)”.
>
> This paragraph allows validators not to support new elements and
> algorithms of DSig 1.1.  I do not know whether MS Office supports
> them or not.
>
>
>
> Regards,
> Makoto
>



-- 

Praying for the victims of the Japan Tohoku earthquake

Makoto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.vse.cz/pipermail/sc34wg4/attachments/20161024/9968014d/attachment.html>

More information about the sc34wg4 mailing list