Information about http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.pdf

1 2 Entity Seal Profile of the OASIS 3 Digital Signature…

Tags: committees, digital signature, dss, email list, esecurity, juan carlos, nick pope, oasis digital, patent, patents, profiles, protocol, revisions, seals, signature service, signature services, tc, technical committee members, thales,
Pages: 11
Language: english
Created: Sat Apr 28 19:30:08 2007

Display cached document

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Page 9

Page 10

Page 11

2 Entity Seal Profile of the OASIS
3 Digital Signature Service
4 OASIS Standard

5 11 April 2007
6 This Version:
7 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.html
8 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.pdf
9 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.doc
10 Latest Version:
11 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.html
12 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.pdf
13 http://docs.oasis-open.org/dss/v1.0/oasis-dss-profiles-eseal-spec-v1.0-os.doc
14 Technical Committee:
15 OASIS Digital Signature Services TC
16 Chair(s):
17 Nick Pope, Thales eSecurity
18 Juan Carlos Cruellas, Centre d'aplicacions avan�ades d'Internet (UPC)
19 Editor:
20 Nick Pope, Thales eSecurity
21 Abstract:
22 This document defines a profile of the OASIS DSS protocol and XML signature for the
23 purpose of creating and verifying entity seals.
24 Status:
25 This document was last revised or approved by the membership of OASIS on the above
26 date. The level of approval is also listed above. Check the current location noted above
27 for possible later revisions of this document. This document is updated periodically on no
28 particular schedule.
29 Technical Committee members should send comments on this specification to the
30 Technical Committee's email list. Others should send comments to the Technical
31 Committee by using the "Send A Comment" button on the Technical Committee's web
32 page at http://www.oasis-open.org/committees/dss/.
33 For information on whether any patents have been disclosed that may be essential to
34 implementing this specification, and any offers of patent licensing terms, please refer to
35 the Intellectual Property Rights section of the Technical Committee web page
36 (http://www.oasis-open.org/committees/dss/ipr.php.
37 The non-normative errata page for this specification is located at http://www.oasis-
38 open.org/committees/dss/.
oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 1 of 11
39 Notices
40 OASIS takes no position regarding the validity or scope of any intellectual property or other rights
41 that might be claimed to pertain to the implementation or use of the technology described in this
42 document or the extent to which any license under such rights might or might not be available;
43 neither does it represent that it has made any effort to identify any such rights. Information on
44 OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS
45 website. Copies of claims of rights made available for publication and any assurances of licenses
46 to be made available, or the result of an attempt made to obtain a general license or permission
47 for the use of such proprietary rights by implementors or users of this specification, can be
48 obtained from the OASIS Executive Director.
49 OASIS invites any interested party to bring to its attention any copyrights, patents or patent
50 applications, or other proprietary rights which may cover technology that may be required to
51 implement this specification. Please address the information to the OASIS Executive Director.
52 Copyright � OASIS� 1993�2007. All Rights Reserved.
53 This document and translations of it may be copied and furnished to others, and derivative works
54 that comment on or otherwise explain it or assist in its implementation may be prepared, copied,
55 published and distributed, in whole or in part, without restriction of any kind, provided that the
56 above copyright notice and this paragraph are included on all such copies and derivative works.
57 However, this document itself may not be modified in any way, such as by removing the copyright
58 notice or references to OASIS, except as needed for the purpose of developing OASIS
59 specifications, in which case the procedures for copyrights defined in the OASIS Intellectual
60 Property Rights document must be followed, or as required to translate it into languages other
61 than English.
62 The limited permissions granted above are perpetual and will not be revoked by OASIS or its
63 successors or assigns.
64 This document and the information contained herein is provided on an "AS IS" basis and OASIS
65 DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
66 ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
67 ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
68 PARTICULAR PURPOSE.
69 The names "OASIS" are trademarks of OASIS, the owner and developer of this specification, and
70 should be used only to refer to the organization and its official outputs. OASIS welcomes
71 reference to, and implementation and use of, specifications, while reserving the right to enforce
72 its marks against misleading uses. Please see http://www.oasis-open.org/who/trademark.php for
73 above guidance.

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 2 of 11
74 Table of Contents
75 1 Introduction ............................................................................................................................. 4
76 1.1 Terminology........................................................................................................................... 4
77 1.2 Namespaces ......................................................................................................................... 4
78 1.3 Normative References .......................................................................................................... 4
79 2 Profile Features....................................................................................................................... 6
80 2.1 Identifier................................................................................................................................. 6
81 2.2 Scope .................................................................................................................................... 6
82 2.3 Relationship To Other Profiles .............................................................................................. 6
83 2.4 Signature Object.................................................................................................................... 6
84 2.5 Transport Binding .................................................................................................................. 6
85 2.6 Security Binding .................................................................................................................... 6
86 2.6.1 Security Requirements................................................................................................... 6
87 2.6.2 TLS X.509 Mutual Authentication .................................................................................. 6
88 3 Profile of Signing Protocol....................................................................................................... 7
89 3.1 Element ....................................................................................................... 7
90 3.1.1 Element ............................................................................................. 7
91 3.1.2 Element .......................................................................................... 7
92 3.2 Element .................................................................................................... 7
93 3.2.1 Element .......................................................................................................... 7
94 3.2.2 Element .......................................................................................... 7
95 3.2.3 Element ........................................................................................... 7
96 4 Profile of Verifying Protocol..................................................................................................... 8
97 4.1 Element ..................................................................................................... 8
98 4.1.1 Element ............................................................................................. 8
99 4.1.2 Element ........................................................................................... 8
100 4.1.3 Element .......................................................................................... 8
101 4.2 Element .................................................................................................. 8
102 4.2.1 Element .......................................................................................................... 8
103 4.2.2 Element .......................................................................................... 8
104 5 Profile of ESeal Signatures ..................................................................................................... 9
105 6 Server Processing Rules ...................................................................................................... 10
106 6.1 Sign ..................................................................................................................................... 10
107 6.2 Verify ................................................................................................................................... 10
108 A. Acknowledgements............................................................................................................... 11
109

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 3 of 11
110 1 Introduction
111 The DSS signing and verifying protocols are defined in [DSSCore]. As defined in that document,
112 these protocols have a fair degree of flexibility and extensibility. This document profiles the core
113 to support creation and validation of a "seal" created by a given Entity or Organization on
114 electronic data.
115 The seal is a form of electronic signature which:
116 a) protects the integrity of the document,
117 b) includes the time at which the seal was applied proving that the data existed at the given
118 time,
119 c) includes the identity of the entity requesting the seal,
120 d) may include a statement of intent for applying the seal.
121 This profile includes a few options that require further profiling for implementing interoperable
122 systems.

123 1.1 Terminology
124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
125 "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be
126 interpreted as described in IETF RFC 2119 [RFC 2119]. These keywords are capitalized when
127 used to unambiguously specify requirements over protocol features and behavior that affect the
128 interoperability and security of implementations. When these words are not capitalized, they are
129 meant in their natural-language sense.
130 This specification uses the following typographical conventions in text: ,
131 Attribute, Datatype, OtherCode.

132 1.2 Namespaces
133 Conventional XML namespace prefixes are used in this document:
134 � The prefix dss: (or no prefix) stands for the DSS core namespace [Core-XSD].
135 � The prefix ds: stands for the W3C XML Signature namespace [XMLSig].
136 � The prefix xades: stands for the ETSI XML Advanced Electronic Signature namespace
137 [XAdES]
138 Applications MAY use different namespace prefixes, and MAY use whatever namespace
139 defaulting/scoping conventions they desire, as long as they are compliant with the Namespaces
140 in XML specification [XML-ns].

141 1.3 Normative References
142 [Core-XSD] S. Drees et al. DSS Schema. OASIS, February, 2007
143 [DSSCore] S. Drees et al. Digital Signature Service Core Protocols and Elements.
144 OASIS, February, 2007
145 [DSS-XAdES] Juan Carlos Cruellas et al. XAdES Profile of the OASIS Digital Signature
146 Service
147 [RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels.
148 IETF RFC 2396, August 1998.
149 http://www.ietf.org/rfc/rfc2396.txt.
150 [XAdES] XML Advanced Electronic Signatures ETSI TS 101 903, February 2002
151 (shortly to be re-issued)
oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 4 of 11
152 http://pda.etsi.org/pda/home.asp?wki_id=1UFEyx7ORuBCDGED3IiJH
153 [XML-ns] T. Bray, D. Hollander, A. Layman. Namespaces in XML. W3C
154 Recommendation, January 1999.
155 http://www.w3.org/TR/1999/REC-xml-names-19990114
156 [XMLSig] D. Eastlake et al. XML-Signature Syntax and Processing. W3C
157 Recommendation, February 2002.
158 http://www.w3.org/TR/1999/REC-xml-names-19990114
159
160

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 5 of 11
161 2 Profile Features
162 2.1 Identifier
163 urn:oasis:names:tc:dss:1.0:profiles:eseal

164 2.2 Scope
165 This document profiles the DSS signing and verifying protocols defined in [DSSCore] and profiles
166 the XML signature format for entity seals created by a given Entity or Organization on electronic
167 data.

168 2.3 Relationship To Other Profiles
169 This document profiles the DSS signing and verifying protocols defined in [DSSCore].

170 2.4 Signature Object
171 This profile supports the creation and verification of [XMLSig] signatures as defined in section 5.

172 2.5 Transport Binding
173 This profile is transported using the HTTP POST Transport Binding defined in [DSSCore].

174 2.6 Security Binding
175 2.6.1 Security Requirements
176 This profile MUST use security bindings that:
177 � Authenticates the requester to the DSS server
178 � Authenticates the DSS server to the DSS client
179 � Protects the integrity or a request, response and the association of response to the
180 request.
181 � Optionally, protects the confidentiality of a request and response
182 The following is recommended to meet these requirements..

183 2.6.2 TLS X.509 Mutual Authentication
184 This profile is secured using the TLS X.509 Mutual Authentication Binding defined in [DSSCore].

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 6 of 11
185 3 Profile of Signing Protocol
186 3.1 Element
187 3.1.1 Element
188 The optional inputs from [DSSCore]:
189 � MUST be supported by the DSS server. This MAY be sent
190 by the client to provide the claimed identity of the requester. If present the
191 element of MUST be authenticated by the Security Binding.
192 � MAY be supported by the DSS server. If present this
193 MAY be used by the client to request the CommitmentTypeIndication property. The
194 CommitmentTypeIndication property is requested using the identifier and value as
195 defined in [DSS-XAdES].
196

197 3.1.2 Element
198 At least one of the following types of InputDocuments from [DSSCore]:
199 �
200 �
201 MUST be supported by the DSS server. The DSS client may use either form.
202 If the client uses an element that is not supported by the server, the server SHOULD return
203 ResultMinor set to indicate NotSupported and ResultMessage set to text providing further
204 details.

205 3.2 Element
206 3.2.1 Element
207 This profile defines no additional codes.

208 3.2.2 Element
209 This profile requires no optional options.

210 3.2.3 Element
211 If successful, the server MUST return a with the signature properties as defined in
212 section 5.

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 7 of 11
213 4 Profile of Verifying Protocol
214 4.1 Element
215 4.1.1 Element
216 This profile places no specific requirements on the optional inputs.

217 4.1.2 Element
218 The server MUST support .

219 4.1.3 Element
220 The at least one of the input document element from [DSSCore]:
221 �
222 �
223 MUST be supported by the DSS server. The DSS client may use either form. Other elements
224 MAY be supported.

225 4.2 Element
226 4.2.1 Element
227 This profile defines no additional codes.

228 4.2.2 Element
229 This profile places no specific requirements on the optional outputs.

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 8 of 11
230 5 Profile of ESeal Signatures
231 The signature form used by the profile is an XML Signature as defined in [XMLSig].
232 The XML signature MUST contain the element within the
233 element as defined in [XAdES] within the
234 element of the XML signature.
235 The following property must be present within the element:
236 �
237 In addition, the following may be present:
238 �
239 The following property must be present within a element:
240 �
241 The digest value of the and the
242 elements shall be included in the signature references.

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 9 of 11
243 6 Server Processing Rules
244 6.1 Sign
245 In addition to the processing rules define in [Core-XSD] the server MUST:
246 a) ensure that the requester is authorized to request an ESeal,
247 b) authenticate that requester is as identified in and, if
248 present,

249 6.2 Verify
250 In addition to the processing rules define in [Core-XSD] the server MUST:
251 a) ensure that the properties required in section 5 are present.
252

oasis-dss-profiles-eseal-spec-v1.0-os 11 April, 2007
Copyright � OASIS Open 2007. All Rights Reserved. Page 10 of 11
253 A. Acknowledgements
254 The following individuals have participated in the creation of this specification and are gratefully
255 acknowledged:
256 Participants:
257 John Messing, American Bar Association
258 Dallas Powell, Individual
259 Juan Carlos Cruellas, Individual
260 Trevor Perrin, individual
261