Usage of <dss:ValidDetail>, <dss:InvalidDetail> and <dss:IndeterminateDetail> in the multisignature verification report profile

Purpose: use of these elements already specified in the dss core for:

  1. Identifying the element on which the report is providing details.
  2. Providing additional information on that element, using structures defined in the draft.

I will try explain myself below.

What I am proposing is that the structure of the IndividualReport for a signature where everything is OK is like the one below. Please note the usage of URIs for identifying details, as the core specifies. Among others, cryptodetails, which says whether the cryptographic results and algorithms are OK or not; also note the usage of :

<IndividualReport>
        <Details>
                <!-- Instead the element FormatOK, use the Type attribute of dss:ValidDetail element for indicating that the signature format is OK -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:SignatureFormat"/>
                <!-- Use dss:ValidDetail for indicating that the crypto operations are OK instead the SignatureOK element. If there are problems, then use dss:InvalidDetail as in the next example -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                <!-- Use dss:ValidDetail for reporting that everything is OK with the certification path and provide additional details as required. This would avoid the PathValiditySummary -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Certificatepath">
                        <CertificateIdentifier> ... </CertificateIdentifier>
                        <!-- Use one CertificateDetailsl for each valid certificate in the path -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:IssuerTrust"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Chaining"/>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:ValidityInterval"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Extensions"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                <CertificateValue>...</CertificateValue>
                                <!-- CertificateContent almost as defined in the draft -->
                                <CertificateContent>...</CertificateContent>
                                <!--Below the details of the CRL or the OCSP answer that provide information on the revocation status of the given certificate -->
                                <!-- Content of <CRLDetails>: almost as <CRLValidity> -->
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:RevocationStatus">
                                        <CRLDetails>
                                                <CRLIdentifier>...</CRLIdentifier>
                                                <CRLValue>...</CRLValue>
                                                <CRLContent>...</CRLContent>
                                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                                <!-- other elements -->
                                        </CRLDetails>
                                        <!-- or <OCSPDetails>....</OCSPDetails> -->
                                </ValidDetail>
                        </CertificateDetails>
                        <!-- A similar CertificateDetailsl element for the next certificate in the certpath -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <!-- Rest of the elements including status information -->
                        </CertificateDetails>
                </ValidDetail>
        </Details>
</IndividualReport>

Following this strategy, an invalid signature because there has been some problem with the signature algorithm, would be reported as follows below. Note the <InvalidDetail> elements.

<IndividualReport>
        <Details>
                <!-- Instead the element FormatOK, use the Type attribute of dss:ValidDetail element for indicating that the signature format is OK -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:SignatureFormat"/>

                <!-- Use dss:ValidDetail for indicating that there are problems with crypto operations or algorithms -->
                <InvalidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:cryptodetails">
                        <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:signaturevalue"/>
                        <InvalidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:signaturealgorithm"/>
                </InvalidDetail>

                <!-- Use dss:ValidDetail for reporting that everything is OK with the certification path and provide additional details as required. This would avoid the PathValiditySummary -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Certificatepath">
                        <CertificateIdentifier> ... </CertificateIdentifier>
                        <!-- Use one CertificateDetailsl for each valid certificate in the path -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:IssuerTrust"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Chaining"/>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:ValidityInterval"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Extensions"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                <CertificateValue>...</CertificateValue>
                                <!-- CertificateContent almost as defined in the draft -->
                                <CertificateContent>...</CertificateContent>
                                <!--Below the details of the CRL or the OCSP answer that provide information on the revocation status of the given certificate -->
                                <!-- Content of <CRLDetails>: almost as <CRLValidity> -->
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:RevocationStatus">
                                        <CRLDetails>
                                                <CRLIdentifier>...</CRLIdentifier>
                                                <CRLValue>...</CRLValue>
                                                <CRLContent>...</CRLContent>
                                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                                <!-- other elements -->
                                        </CRLDetails>
                                        <!-- or <OCSPDetails>....</OCSPDetails> -->
                                </ValidDetail>
                        </CertificateDetails>
                        <!-- A similar CertificateDetailsl element for the next certificate in the certpath -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <!-- Rest of the elements including status information -->
                        </CertificateDetails>
                </ValidDetail>
        </Details>
</IndividualReport>

Finally, below follows a report for a signature with a revoked certificate as reported in a CRL:

<IndividualReport>
        <Details>
                <!-- Instead the element FormatOK, use the Type attribute of dss:ValidDetail element for indicating that the signature format is OK -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:SignatureFormat"/>
                <!-- Use dss:ValidDetail for indicating that the crypto operations are OK instead the SignatureOK element. If there are problems, then use dss:InvalidDetail as in the next example -->
                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                <!-- Use dss:ValidDetail for reporting that everything is OK with the certification path and provide additional details as required. This would avoid the PathValiditySummary -->
                <InvalidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Certificatepath">
                        <CertificateIdentifier> ... </CertificateIdentifier>
                        <!-- Use one CertificateDetailsl for each valid certificate in the path -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:IssuerTrust"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Chaining"/>
                                <ValidDetail Type="urn:oasis:names:tc:dss:1.0:detail:ValidityInterval"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Extensions"/>
                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                <CertificateValue>...</CertificateValue>
                                <!-- CertificateContent almost as defined in the draft -->
                                <CertificateContent>...</CertificateContent>
                                <!--Below the details of the CRL or the OCSP answer that provide information on the revocation status of the given certificate -->
                                <!-- Content of <CRLDetails>: almost as <CRLValidity> -->
                                <InvalidDetail Type="urn:oasis:names:tc:dss:1.0:detail:RevocationStatus">
                                        <CRLDetails>
                                                <CRLIdentifier>...</CRLIdentifier>
                                                <CRLValue>...</CRLValue>
                                                <CRLContent>...</CRLContent>
                                                <ValidDetail Type="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CryptoDetails"/>
                                                <!-- other elements -->
                                        </CRLDetails>
                                        <!-- or <OCSPDetails>....</OCSPDetails> -->
                                </InvalidDetail>
                        </CertificateDetails>
                        <!-- A similar CertificateDetailsl element for the next certificate in the certpath -->
                        <CertificateDetails>
                                <CertificateIdentifier>...</CertificateIdentifier>
                                <!-- Rest of the elements including status information -->
                        </CertificateDetails>
                </InvalidDetail>
        </Details>
</IndividualReport>

25-07-2008. [BR] [BR]

These days I have been doing some thinking on the issue of constraining via the xml schema the usage of the Type attribute in the Valid/Invalid/Indeterminate elements to re-use the strategy from core.... I have come to somethign that could be in theline of that... In fact the final schema would be longer, as there are lots of structures almost equal but the Type attribute fixed to a certain value. ....

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:oasis:names:tc:dssx:1.0:profiles:multisignatureverification:1.0#" xmlns:vr="urn:oasis:names:tc:dssx:1.0:profiles:multisignatureverification:1.0#" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" elementFormDefault="qualified" attributeFormDefault="unqualified">
        <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
        <xs:import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-protocol-1.1.xsd"/>
        <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/>
        <xs:import namespace="urn:oasis:names:tc:dss:1.0:core:schema" schemaLocation="http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-schema-v1.0-os.xsd"/>
        <xs:group name="DetailsFixedContent">
                <xs:choice>
                        <xs:element name="Code" type="xs:anyURI" minOccurs="0"/>
                        <xs:element name="Message" type="dss:InternationalStringType" minOccurs="0"/>
                </xs:choice>
        </xs:group>
        
        <!-- Final element VerificationReport -->

        <xs:element name="VerificationReport" type="vr:VerificationReportType"/>
        <xs:complexType name="VerificationReportType">
                <xs:sequence>
                        <xs:element name="CurrentTime" type="xs:dateTime" minOccurs="0"/>
                        <xs:element ref="dss:VerificationTimeInfo" minOccurs="0"/>
                        <xs:element name="VerifierIdentity" type="saml:NameIdentifierType" minOccurs="0"/>
                        <xs:element name="IndividualSignatureReport" type="vr:IndividualSignatureReportType" minOccurs="0" maxOccurs="unbounded"/>
                </xs:sequence>
        </xs:complexType>
        
        <!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
        <!-- Type for IndividualSignatureReport -->
        <xs:complexType name="IndividualSignatureReportType">
                <xs:sequence>
                        <xs:element name="SignatureIdentifier"/>
                        <xs:element ref="dss:Result"/>
                        <xs:group ref="vr:SignatureValidity"/>
                </xs:sequence>
        </xs:complexType>

        <!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
        <!-- Definitions for reporting validity of an  Individual Signature-->
        <xs:group name="SignatureValidity">
                <xs:choice>
                        <xs:element name="ValidDetail" type="vr:SignatureDetailType"/>
                        <xs:element name="InvalidDetail" type="vr:SignatureDetailType"/>
                        <xs:element name="IndeterminateDetail" type="vr:SignatureDetailType"/>
                </xs:choice>
        </xs:group>
        <xs:complexType name="SignatureDetailType">
                <xs:sequence>
                        <xs:group ref="vr:DetailsFixedContent"/>
                        <xs:element name="DetailedReport" type="vr:DetailedReportType"/>
                </xs:sequence>
                <xs:attribute name="Type" type="xs:anyURI" fixed="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:IndividualSignature"/>
        </xs:complexType>


        <!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
        <!-- Definitions for a detailed report for an inidividual signature -->
        <xs:complexType name="DetailedReportType">
                <xs:sequence>
                        <xs:element name="Properties" />
<!--                    <xs:element ref="dss:VerifyManifestesults"/>
                        <xs:group ref="vr:FormatDetails"/>
                        <xs:group ref="vr:SignatureValueValidity"/> -->
                        <xs:group ref="vr:CertificatePathValidity"/>
                </xs:sequence>
        </xs:complexType>
                
        <!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
        <!-- Definitions for reporting validity of the Certificate Path-->
        <xs:group name="CertificatePathValidity">
                <xs:choice>
                        <xs:element name="ValidDetail" type="vr:CertificatePathDetailType"/>
                        <xs:element name="InvalidDetail" type="vr:CertificatePathDetailType"/>
                        <xs:element name="IndeterminateDetail" type="vr:CertificatePathDetailType"/>
                </xs:choice>
        </xs:group>
        
        <xs:complexType name="CertificatePathDetailType">
                <xs:sequence>
                        <xs:group ref="vr:DetailsFixedContent"/>
                        <xs:element name="CertificatePathReport" type="vr:CertificatePathReportType"/> 
                </xs:sequence>
                <xs:attribute name="Type" type="xs:anyURI" fixed="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:CertificatePath"/>
        </xs:complexType>


        <!-- Definitions for the report on the certificate path -->
        <xs:complexType name="CertificatePathReportType">
                <xs:sequence>
                        <xs:element name="CertificateIdentifier" />
                        <xs:group ref="vr:CertificateValidity" minOccurs="0" maxOccurs="unbounded"/>
<!--                    <xs:group ref="vr:TSLValidity"/>
                        <xs:group ref="vr:TrustAnchorValidity"/>
-->
                </xs:sequence>
        </xs:complexType>

        <!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
        <!-- Definitions for reporting validity a single certificate-->
        
        <xs:group name="CertificateValidity">
                <xs:choice>
                        <xs:element name="ValidDetail" type="vr:CertificateDetailType"/>
                        <xs:element name="InvalidDetail" type="vr:CertificateDetailType"/>
                        <xs:element name="IndeterminateDetail" type="vr:CertificateDetailType"/>
                </xs:choice>
        </xs:group>
        
        <xs:complexType name="CertificateDetailType">
                <xs:sequence>
                        <xs:group ref="vr:DetailsFixedContent"/>
                        <xs:element name="CertificateReport" type="vr:CertificateReportType"/> 
                </xs:sequence>
                <xs:attribute name="Type" type="xs:anyURI" fixed="urn:oasis:names:tc:dssx:1.0:profiles:verificationreport:detail:Certificate"/>
        </xs:complexType>

        <!-- Definitions for the report on the single certificate -->
        <xs:complexType name="CertificateReportType">
                <xs:sequence>
                        <xs:element name="CertificateIdentifier" />
                        <xs:element name="Subject" type="xs:string" />
<!--                    <xs:group ref="vr:ChainingValidity"/>
                        <xs:group ref="vr:ValidityPeriod"/>
                        <xs:group ref="vr:ExtensionsValidity"/>
                        <xs:group ref="vr:SignatureValueValidity" />
-->
                </xs:sequence>
        </xs:complexType>




</xs:schema>

MultiSignatureVerificationReportsProfile (last edited 2009-08-12 18:03:58 by localhost)