XMLWordPrintable

    Details

    • Proposal:
      Hide

      David has marked up files that include all the proposed changes. Those show the changes better than does the description here and will be added.

      The proposed changes to ODF 1.2 CD05 Part 1 section 3.16 can be found as change-marked text in the documents available at <http://www.oasis-open.org/committees/document.php?document_id=38746>

      The proposed changes to ODF 1.2 CD05 Part 3 sections can be found as change-marked text in the documents available at <http://www.oasis-open.org/committees/document.php?document_id=38748>

      Show
      David has marked up files that include all the proposed changes. Those show the changes better than does the description here and will be added. The proposed changes to ODF 1.2 CD05 Part 1 section 3.16 can be found as change-marked text in the documents available at < http://www.oasis-open.org/committees/document.php?document_id=38746 > The proposed changes to ODF 1.2 CD05 Part 3 sections can be found as change-marked text in the documents available at < http://www.oasis-open.org/committees/document.php?document_id=38748 >
    • Resolution:
      Hide

      Update for part 1, section 3.16:

      ----------------------
      An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package.

      Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. Document signatures shall contain a <ds:Reference> element for each file within the package, with the exception that <ds:Reference> elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted.

      Signatures other than document signatures are implementation-defined.
      ---------------------

      Update for part 3, Section 3.5:

      -------------------------
      Files within a package may have a digital signature applied. Digital signatures are stored in one or more files whose relative paths begin with "META-INF/". The names of these files shall contain the term "signatures".

      The format of digital signature files is specified in chapter 5.
      -------------------------

      New proposed text for section 5.3 follows:

      -----------------------------------------
      The <ds:Signature> element is defined by the [xmldsig-core] specification. Each <ds:Signature> element shall contain an Id attribute specifying a unique value. A producer may use the XAdES extensions as specified in ETSI TS 101 903 v1.4.1 [XAdES], or later versions of the XAdES specification.

      A <ds:KeyInfo> element, as specified in [xmldsig-core], section 4.4 shall be included. The <ds:KeyInfo> element should contain an <ds:X509Data> element containing an <ds:X509IssuerSerial> element specifying the issuer and serial number of the signing certificate, and an <ds:X509Certificate> element specifying the full signing certificate.

      Additional <ds:X509Certificate> elements may be placed in the <ds:X509Data>, or may be placed in the <xades:CertificateValues> element of the XAdES <ds:Object>, as defined in [XAdES] section 7.6.1. The additional certificates should represent the entire certificate chain used for verification at signing time.

      <ds:Reference> elements contained within a <ds:SignedInfo> element shall be resolved according to the following specification:
      1. A <ds:Reference> element which has a Type attribute value of "http://docs.oasis-open.org/office/v1.2/OS/OpenDocument-v1.2.odt" shall refer to files in the same package in the accordance with the procedure for resolving IRIs (§3.7), except that the file entry path shall be the name of the signature file with it relative path omitted. [Note: Consequently, an IRI-Reference consisting entirely of "#" followed by an ifragment (§2.2 of [RFC3987]) refers to the ID of an XML element within the same XML document containing this <ds:signature> element.

      2. A <ds:Reference> element which has a Type attribute with a value of "http://uri.etsi.org/01903/v1.2.2#SignedProperties" refers to an XAdES SignedProperties element.. A <ds:Reference> element which refers to the XAdES SignedProperties element (if present) shall be as specified in [XAdES] section 6.3.1.

      3. A <ds:Reference> element which does not have a Type attribute shall be processed the same a <ds:Reference> element which has a Type attribute with a value of "http://docs.oasis-open.org/office/v1.2/OS/OpenDocument-v1.2.odt".

      The only permitted <ds:Transform> elements which apply to files contained within the archive shall be canonicalization transforms, as specified in [xmldsig-core], section 6.5.

      The signing time should be recorded using one or more of the following approaches:
      1. An <ds:Object > element containing a <ds:SignatureProperty> element with:
      a. An Id attribute with a value containing a unique identifier.
      b. A Target attribute corresponding to the Id attribute of the <ds:Signature> element.
      c. A <date> element from the namespace "http://purl.org/dc/elements/1.1/" containing the UTC time as [xml-schema2] dateTime value.
      2. A <xades:SigningTime> element as specified in [XAdES] section 7.2.1.

      If an <ds:Object> containing XAdES elements is present, then a document compliant with this specification uses the following options:
      1. The <xades:SignedSignatureProperties> element shall contain a <xades:SigningCertificate> property as specified in [XAdES] section 7.2.2.
      2. A <xades:SigningTime> element should be present as specified in [XAdES] section 7.2.1.
      3. If any timestamp elements of type XAdESTimeStampType are present, such as the <xades:SignatureTimeStamp> or <xades: SigAndRefsTimestamp> elements, the time stamp information shall be specified as an EncapsulatedTimeStamp element containing DER encoded ASN.1. data.
      4. If references to validation data are present, the <xades:SigAndRefsTimestamp> element as specified in [XAdES] sections 7.5.1 and 7.5.1.1 shall be used.
      5. There shall be a <ds:Reference> element specifying the digest of the SignedProperties element, as specified in [XAdES], section 6.2.1. This <ds:Reference> element shall be contained within the <ds:SignedInfo> element of the <ds:Signature> element.

      The <ds:Signature> element is usable with the following element: <dsig:document-signatures> 5.2.


      Update [XAdes] reference to 1.4.1 and move it into the normative references section.

      Show
      Update for part 1, section 3.16: ---------------------- An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package. Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3. Document signatures shall contain a <ds:Reference> element for each file within the package, with the exception that <ds:Reference> elements for the META-INF/documentsignatures.xml file containing the signature, and any files contained in the package whose relative path starts with "external-data/" should be omitted. Signatures other than document signatures are implementation-defined. --------------------- Update for part 3, Section 3.5: ------------------------- Files within a package may have a digital signature applied. Digital signatures are stored in one or more files whose relative paths begin with "META-INF/". The names of these files shall contain the term "signatures". The format of digital signature files is specified in chapter 5. ------------------------- New proposed text for section 5.3 follows: ----------------------------------------- The <ds:Signature> element is defined by the [xmldsig-core] specification. Each <ds:Signature> element shall contain an Id attribute specifying a unique value. A producer may use the XAdES extensions as specified in ETSI TS 101 903 v1.4.1 [XAdES] , or later versions of the XAdES specification. A <ds:KeyInfo> element, as specified in [xmldsig-core] , section 4.4 shall be included. The <ds:KeyInfo> element should contain an <ds:X509Data> element containing an <ds:X509IssuerSerial> element specifying the issuer and serial number of the signing certificate, and an <ds:X509Certificate> element specifying the full signing certificate. Additional <ds:X509Certificate> elements may be placed in the <ds:X509Data>, or may be placed in the <xades:CertificateValues> element of the XAdES <ds:Object>, as defined in [XAdES] section 7.6.1. The additional certificates should represent the entire certificate chain used for verification at signing time. <ds:Reference> elements contained within a <ds:SignedInfo> element shall be resolved according to the following specification: 1. A <ds:Reference> element which has a Type attribute value of "http://docs.oasis-open.org/office/v1.2/OS/OpenDocument-v1.2.odt" shall refer to files in the same package in the accordance with the procedure for resolving IRIs (§3.7), except that the file entry path shall be the name of the signature file with it relative path omitted. [Note: Consequently, an IRI-Reference consisting entirely of "#" followed by an ifragment (§2.2 of [RFC3987] ) refers to the ID of an XML element within the same XML document containing this <ds:signature> element. 2. A <ds:Reference> element which has a Type attribute with a value of "http://uri.etsi.org/01903/v1.2.2#SignedProperties" refers to an XAdES SignedProperties element.. A <ds:Reference> element which refers to the XAdES SignedProperties element (if present) shall be as specified in [XAdES] section 6.3.1. 3. A <ds:Reference> element which does not have a Type attribute shall be processed the same a <ds:Reference> element which has a Type attribute with a value of "http://docs.oasis-open.org/office/v1.2/OS/OpenDocument-v1.2.odt". The only permitted <ds:Transform> elements which apply to files contained within the archive shall be canonicalization transforms, as specified in [xmldsig-core] , section 6.5. The signing time should be recorded using one or more of the following approaches: 1. An <ds:Object > element containing a <ds:SignatureProperty> element with: a. An Id attribute with a value containing a unique identifier. b. A Target attribute corresponding to the Id attribute of the <ds:Signature> element. c. A <date> element from the namespace "http://purl.org/dc/elements/1.1/" containing the UTC time as [xml-schema2] dateTime value. 2. A <xades:SigningTime> element as specified in [XAdES] section 7.2.1. If an <ds:Object> containing XAdES elements is present, then a document compliant with this specification uses the following options: 1. The <xades:SignedSignatureProperties> element shall contain a <xades:SigningCertificate> property as specified in [XAdES] section 7.2.2. 2. A <xades:SigningTime> element should be present as specified in [XAdES] section 7.2.1. 3. If any timestamp elements of type XAdESTimeStampType are present, such as the <xades:SignatureTimeStamp> or <xades: SigAndRefsTimestamp> elements, the time stamp information shall be specified as an EncapsulatedTimeStamp element containing DER encoded ASN.1. data. 4. If references to validation data are present, the <xades:SigAndRefsTimestamp> element as specified in [XAdES] sections 7.5.1 and 7.5.1.1 shall be used. 5. There shall be a <ds:Reference> element specifying the digest of the SignedProperties element, as specified in [XAdES] , section 6.2.1. This <ds:Reference> element shall be contained within the <ds:SignedInfo> element of the <ds:Signature> element. The <ds:Signature> element is usable with the following element: <dsig:document-signatures> 5.2. Update [XAdes] reference to 1.4.1 and move it into the normative references section.

      Description

      David LeBlanc's proposal for updating digital signature support:
      A summary of the changes:

      Part 1, section 3.16: Adapt heading to "Document Signatures"

      Modified to read:

      An OpenDocument document that is stored in a package may have one or more digital signatures applied to the package.

      Document signatures shall be stored in a file called META-INF/documentsignatures.xml in the package as described in section 2.4 of the OpenDocument specification part 3.

      A document signature shall be considered to be valid only if the "XML Digital Signature" contained in documentsignatures.xml is valid.

      Document signatures shall contain a <ds:Reference> element for each file within the package, with the exception that a <ds:Reference> element for the file containing the signature is omitted. If non-standard files are added to the package, then it is implementation-specific whether <ds:Reference> elements for the additional files shall be required. An implementer may also choose to support a partial document signature which may contain <ds:Reference> elements for only some of the files within the package or portions of files.

      Part 3:
      Addition of xades to the namespace table

      Packages, Digital Signatures section:
      Added "A full document signature shall be stored in a file called META-INF/documentsignatures.xml, as described in part 1, section 3.16." to be consistent with part 1.

      <dsig:document-signatures> section:
      Changed:

      In particular, consumers may require that a digital signature references all files contained in a package.

      To:

      In particular, consumers may require that a digital signature references all files contained in a package, excepting the META-INF/documentsignatures.xml file, which cannot be included because a signature cannot sign itself.

      I didn't touch the next 2 paragraphs, but these are a problem due to the encryption conundrum.

      <ds:Signature> section:
      This is long, and I'll wait for Cherie here. Basically, it puts into standards language the what I suggested in e-mail previously, and specifies the current signature implementation of (IIRC) Open Office as the standard, and adds in the information needed to do XAdES such that everyone can interoperate.
      Copied from David's editted document, the section would read:
      The <ds:Signature> element is defined by the [xmldsig-core] specification. A producer may use the XAdES extensions as specified in ETSI TS 101 903 v1.3.2 [XAdES], or later versions of the XAdES specification. Each <ds:Signature> element shall contain an Id attribute specifying a unique value.
      A <ds:KeyInfo> element, as specified in [xmldsig-core], section 4.4 shall be included. The <ds:KeyInfo> element shall contain an <ds:X509Data> element containing at least an <ds:X509IssuerSerial> element specifying the issuer and serial number of the signing certificate, and an <ds:X509Certificate> element specifying the full signing certificate. Additional <ds:X509Certificate> elements may be placed in the <ds:X509Data>, or may be placed in the <xades:CertificateValues> element of the XAdES <ds:Object>, as defined in [XAdES] section 7.6.1. The additional certificates should represent the entire primary certificate chain used at signing time.
      <ds:Reference> elements contained within a <ds:SignedInfo> element shall be resolved according to the following specification:
      1. A <ds:Reference> element which refers to a file contained within the package shall have a Type attribute with a value of "http://docs.oasis-open.org/office/v1.1/OS/OpenDocument-v1.1.html". The <ds:Reference> URI for files contained within the package shall be Relative IRI references contained within the element or any of its descendant elements shall be resolved as defined in section 3.7, except that the base URI for resolving relative IRIs shall be the package base IRI.
      2. A <ds:Reference> to an <ds:Object> element contained within this <ds:Signature> element shall have a Type attribute with a value of "http://www.w3.org/2000/09/xmldsig#Object". The <ds:Reference> URI for an <ds:Object> element shall be considered to be relative to the <ds:Signature> element.
      3. A <ds:Reference> element which refers to the XAdES SignedProperties element (if present) shall be as specified in [XAdES] section 6.3.1.
      4. A <ds:Reference> element with a Type attribute value other than those specified previously should be considered to be external to the package.
      Any <ds:Reference> elements contained within a <ds:Manifest> element, which is in turn contained within a <ds:Object> element, shall be considered to be implementation specific.
      The only permitted <ds:Transform> elements which apply to files contained within the archive shall be canonicalization transforms, as specified in [xmldsig-core], section 6.5.
      The signing time shall be recorded using one or more of the following approaches:
      1. An <ds:Object > element containing a <ds:SignatureProperty> element with:
      a. An Id attribute with a value containing a unique identifier.
      b. A Target attribute corresponding to the Id attribute of the <ds:Signature> element.
      c. A <date> element from the namespace "http://purl.org/dc/elements/1.1/" containing the time in UTC format.
      2. A <xades:SigningTime> element as specified in [XAdES] section 7.2.1.
      If an <ds:Object> containing XAdES elements is present, then a document compliant with this specification uses the following options:
      1. The <xades:SignedSignatureProperties> element shall contain a <xades:SigningCertificate> property as specified in [XAdES] section 7.2.2.
      2. A <xades:SigningTime> element shall be present as specified in [XAdES] section 7.2.1.
      3. ) If any timestamp elements of type XAdESTimeStampType are present, such as the <xades:SignatureTimeStamp> or <xades: SigAndRefsTimestamp> elements, the time stamp information shall be specified as an EncapsulatedTimeStamp element containing DER encoded ASN.1. data.
      4. ) If references to validation data are present, the <xades:SigAndRefsTimestamp> element as specified in [XAdES] sections 7.5.1 and 7.5.1.1 shall be used.
      5. There shall be a <ds:Reference> element specifying the digest of the SignedProperties element, as specified in [XAdES], section 6.2.1. This <ds:Reference> element shall be contained within the <ds:SignedInfo> element of the <ds:Signature> element.

      Oh - as I was reviewing this, I noticed that I forgot to add language to support the XAdES CounterSignature element, which itself contains one or more Signatures, each of which may also have a CounterSignature. We need to make sure that restrictions on the <ds:Signature> element do not preclude using them differently in a CounterSignature.

        Attachments

          Activity

            People

            • Assignee:
              Patrick Patrick Durusau
              Reporter:
              cheriee Cherie Ekholm
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: