1

2
3

Policy-Wise Server Abstract Profile of

the OASIS Digital Signature Service

Committee Draft, 24 December, 2004

(Working Draft 04)

6
7

Document identifier:
oasis-dss-1.0-profiles-pws-spec-cd-01.doc

8
9

Location:
http://docs.oasis-open.org/dss/

10
11

Editor:

12
13

Contributors:

14
15

Abstract:

Paul Madsen, Entrust <p.madsen@entrust.com>

16
17
18
19
20

This draft profiles the OASIS DSS core protocols for environments where the client is
either ignorant of signing/verification policy or does not have the authority to specify such
policy. It is the server (or the infrastructure behind it) that maintains and specifies policy
and so is policy-wise. This profile is abstract as it is not expected to be directly
implementable but rather is itself profiled by other implementable profiles.

21
22
23
24
25
26
27
28
29

Status:
This is a Committee Draft produced by the OASIS Digital Signature Service Technical
Committee. Committee members should send comments on this draft to
dss@lists.oasis-open.org.
For information on whether any patents have been disclosed that may be essential to
implementing this specification, and any offers of patent licensing terms, please refer to
the Intellectual Property Rights section of the Digital Signature Service TC web page at
http://www.oasis-open.org/committees/dss/ipr.php.

30

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 1 of 12

30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

Table of Contents
1

Introduction ............................................................................................................................. 3
1.1 Notation ................................................................................................................................. 3
1.2 Namespaces ......................................................................................................................... 3
1.3 Overview (Non-normative) .................................................................................................... 3
2
Profile Features....................................................................................................................... 5
2.1 Identifier................................................................................................................................. 5
2.2 Scope .................................................................................................................................... 5
2.3 Relationship To Other Profiles .............................................................................................. 5
2.4 Signature Object.................................................................................................................... 5
2.5 Transport Binding .................................................................................................................. 5
2.6 Security Binding .................................................................................................................... 5
3
Profile of Signing Protocol....................................................................................................... 6
3.1 Element <SignRequest> ....................................................................................................... 6
3.1.1 Element <OptionalInputs> ............................................................................................. 6
3.1.2 Element <InputDocuments> .......................................................................................... 7
3.2 Element <SignResponse> .................................................................................................... 7
3.2.1 Element <Result> .......................................................................................................... 7
3.2.2 Element <OptionalOutputs> .......................................................................................... 7
3.2.3 Element <SignatureObject>........................................................................................... 7
4
Profile of Verifying Protocol..................................................................................................... 8
4.1 Element <VerifyRequest> ..................................................................................................... 8
4.1.1 Element <OptionalInputs> ............................................................................................. 8
4.1.2 Element <SignatureObject>........................................................................................... 8
4.1.3 Element <InputDocuments> .......................................................................................... 8
4.2 Element <VerifyResponse> .................................................................................................. 8
4.2.1 Element <Result> .......................................................................................................... 8
4.2.2 Element <OptionalOutputs> .......................................................................................... 8
5
Profile of Server Processing Rules ......................................................................................... 9
6
References............................................................................................................................ 10
6.1 Normative ............................................................................................................................ 10
Appendix A. Revision History ........................................................................................................ 11
Appendix B. Notices ...................................................................................................................... 12

63

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 2 of 12

64

1 Introduction

65
66
67
68
69
70
71

The DSS signing and verifying protocols are defined in [DSSCore]. As defined in that document,
these protocols have a fair degree of flexibility and extensibility. This document profiles these
protocols to limit their flexibility and extend them in concrete ways. It also profiles the processing
rules followed by clients and servers when using these protocols. The resulting profile is an
abstract profile. Further profiles will build on this one to provide a basis for implementation and
interoperability.

72

The following sections describe how to understand the rest of this document.

73
74

1.1 Notation

75
76
77
78
79
80

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be
interpreted as described in IETF RFC 2119 [RFC 2119]. These keywords are capitalized when
used to unambiguously specify requirements over protocol features and behavior that affect the
interoperability and security of implementations. When these words are not capitalized, they are
meant in their natural-language sense.

81
82

This specification uses the following typographical conventions in text: <ns:Element>,

Attribute, Datatype, OtherCode.

83

1.2 Namespaces

84

85

This schema is associated with the following XML namespace:

86

urn:oasis:names:tc:dss:1.0:profiles:policywiseserver:1.0

87
88

If a future version of this specification is needed, it will use a different namespace. Conventional
XML namespace prefixes are used in this document:

89

The prefix pws: stands for the DSS code-signing namespace [PWS-XSD].

90

The prefix dss: (or no prefix) stands for the DSS core namespace [Core-XSD].

91

The prefix ds: stands for the W3C XML Signature namespace [XMLSig].

92
93
94

Applications MAY use different namespace prefixes, and MAY use whatever namespace
defaulting/scoping conventions they desire, as long as they are compliant with the Namespaces
in XML specification [XML-ns].

95

1.3 Overview (Non-normative)

96
97
98
99
100

DSS provides to clients significant flexibility in customizing the base SignRequest/VerifyRequest

messages, implying that the DSS client is sufficiently aware of signing/verification policy to create
appropriate requests. In many scenarios, for reasons of security and/or policy management,
clients will not have this policy awareness; signing/verification policy will be instead stored and
managed at (or behind) the DSS server on behalf of its clients.

101
102
103
104

Consequently, in these scenarios, the full flexibility that the base DSS profiles provide for request
customization is unnecessary. The Policy-wise DSS Profile will remove this undesirable flexibility
to facilitate interoperability.
oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 3 of 12

105
106
107
108

Signature creation will be based on DSS SignRequest. Currently optional request inputs for
Selective Signing, Signature Placement, Processing steps, Output options, etc will be
removed.

109
110

Signature verification will be based on DSS VerifyRequest. Currently optional request inputs
for Selective Verification, Trust Settings etc will be removed.

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 4 of 12

111

2 Profile Features

112

2.1 Identifier

113
114

urn:oasis:names:tc:dss:1.0:profiles:pws

115

2.2 Scope

116

This document profiles the DSS signing and verifying protocols defined in [DSSCore].

117

2.3 Relationship To Other Profiles

118
119
120

The profiles in this document are based on the [DSSCore]. This profile is an abstract profile
which is not implementable directly and must be further profiled or combined with another
implementable concrete profile.

121

2.4 Signature Object

122

This profile does not specify or constrain the type of signature object.

123

2.5 Transport Binding

124

This profile does not specify or constrain the transport binding.

125

2.6 Security Binding

126

This profile does not specify or constrain the security binding.

127

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 5 of 12

128

3 Profile of Signing Protocol

129

3.1 Element <SignRequest>

130

3.1.1 Attribute profile

131
132

The profile identifier for Policy Wise Server MUST NOT be used as the value of the Profile
attribute.

133

3.1.2 Element <OptionalInputs>

134
135

The <ServicePolicy> and <ClaimedIdentity>, optional inputs from [DSSCore] are

supported and may be sent by the client.

136
137
138

Clients MUST NOT send the following optional inputs unless contained within a <SignedInput>
element (defined below):

139
140

Element <IntendedAudience>

141

Element <SignatureType>

142

Element <AddTimestamp>

143

Element <KeySelector>

144

Element <Language>

145

Element <SignedReferences>

146

Element <Properties>

147

Element <SignaturePlacement>

148

Element <EnvelopingSignature>

149
150

3.1.2.1 Element <AdditionalProfile>

151
152

The Policy Wise Server profile identifier MUST be placed in an <AdditionalProfile>

element.

153

3.1.2.2 Element <SignedInput>

154
155

This profile introduces a new <SignedInput> element within <OptionalInputs>. The

<SignedInput> element will carry signed policy statements for signing requests.

156
157

If present, the <SignedInput> element MUST contain one or more <ds:Signature>

elements that envelop the policy statements.

158
159
160
161
162
163
164
165

<xs:element name=SignedInput>
<xs:complexType>
<xs:sequence>
<xs:element ref=ds:Signature minOccurs=1/>
</xs:sequence>
</xs:complexType>
</xs:element>

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 6 of 12

166

3.1.3 Element <InputDocuments>

167
168
169

For requests to sign XML documents, the client MUST only send <Document> input documents the client MUST NOT send <DocumentHash> input documents as this would require that the
client know which elements of the original XML document were to be signed.

170

3.2 Element <SignResponse>

171

3.2.1 Element <Result>

172

This profile defines no additional <ResultMinor> codes.

173

3.2.2 Element <OptionalOutputs>

174

This profile does not specify or constrain the optional outputs returned by the server.

175

3.2.3 Element <SignatureObject>

176

This profile does not specify or constrain the type of signature object returned by the server.

177

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 7 of 12

178

4 Profile of Verifying Protocol

179

4.1 Element <VerifyRequest>

180

4.1.1 Element <OptionalInputs>

181
182

The client MUST NOT send any optional inputs unless these inputs are contained within a
<pws:SignedInput> element.

183

4.1.2 Element <SignatureObject>

184

This profile does not specify or constrain the type of signature object.

185

4.1.3 Element <InputDocuments>

186

This profile does not specify or constrain the type of input documents.

187

4.2 Element <VerifyResponse>

188

4.2.1 Element <Result>

189

This profile defines no additional <ResultMinor> codes.

190

4.2.2 Element <OptionalOutputs>

191

This profile does not specify or constrain the optional outputs returned by the server.

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 8 of 12

192

5 Profile of Server Processing Rules

193
194
195

In addition to the basic processing steps defined in [DSSCore], a DSS Server should validate any
<ds:Signature> element contained within the <OptionalInputs> element according to
section 3.2.2 in [XMLSig].

196
197
198

For any such signatures, the DSS Server MUST verify that the signer is authorized to specify
policy for the corresponding request.

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 9 of 12

199

6 References

200

6.1 Normative

201

[Core-XSD]

T. Perrin et al. DSS Schema. OASIS, (MONTH/YEAR TBD)

202
203
204
205

[DSSCore]
T. Perrin et al. Digital Signature Service Core Protocols and Elements. OASIS,
(MONTH/YEAR TBD)

206
207
208

[RFC 2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF
RFC 2396, August 1998.

209

http://www.ietf.org/rfc/rfc2396.txt.

210
211
212

[XML-ns]
T. Bray, D. Hollander, A. Layman. Namespaces in XML. W3C
Recommendation, January 1999.

213

http://www.w3.org/TR/1999/REC-xml-names-19990114

214
215
216

[XMLSig]
D. Eastlake et al. XML-Signature Syntax and Processing. W3C
Recommendation, February 2002.

217

http://www.w3.org/TR/1999/REC-xml-names-19990114

218

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 10 of 12

219

Appendix A. Revision History

Rev

Date

By Whom

What

wd-01

2004-02-10

Paul Madsen

Initial version

wd-02

2004-03-22

Paul Madsen

To reflect template changes & feedback

wd-03

2004-04-30

Paul Madsen

Introduce <SignedInput> element

wd-04

2004-10-09

Paul Madsen

Fixed typo in <SignedInput> schema.

Removed reference to normative Policy
Wise Server XSD, changed allowed
<OptionalInputs> on <SignRequest>.
Added profile identifier

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 11 of 12

220

Appendix B. Notices

221
222
223
224
225
226
227
228
229

OASIS takes no position regarding the validity or scope of any intellectual property or other rights
that might be claimed to pertain to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or might not be available;
neither does it represent that it has made any effort to identify any such rights. Information on
OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS
website. Copies of claims of rights made available for publication and any assurances of licenses
to be made available, or the result of an attempt made to obtain a general license or permission
for the use of such proprietary rights by implementers or users of this specification, can be
obtained from the OASIS Executive Director.

230
231
232

OASIS invites any interested party to bring to its attention any copyrights, patents or patent
applications, or other proprietary rights which may cover technology that may be required to
implement this specification. Please address the information to the OASIS Executive Director.

233

Copyright OASIS Open 2003. All Rights Reserved.

234
235
236
237
238
239
240
241
242

This document and translations of it may be copied and furnished to others, and derivative works
that comment on or otherwise explain it or assist in its implementation may be prepared, copied,
published and distributed, in whole or in part, without restriction of any kind, provided that the
above copyright notice and this paragraph are included on all such copies and derivative works.
However, this document itself does not be modified in any way, such as by removing the
copyright notice or references to OASIS, except as needed for the purpose of developing OASIS
specifications, in which case the procedures for copyrights defined in the OASIS Intellectual
Property Rights document must be followed, or as required to translate it into languages other
than English.

243
244

The limited permissions granted above are perpetual and will not be revoked by OASIS or its
successors or assigns.

245
246
247
248
249

This document and the information contained herein is provided on an AS IS basis and OASIS
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.

oasis-dss-1.0-profiles-pws-spec-cd-01.doc
Copyright OASIS Open 2004. All Rights Reserved.

24 December, 2004

Page 12 of 12