Digital Signature Service Core Protocols, Elements, and Bindings Version 0 oasis standard 11 April 2007

Спампаваць 0.54 Mb.

старонка	5/11
Дата канвертавання	24.04.2016
Памер	0.54 Mb.

1 2 3 4 5 6 7 8 9 10 11

2.5Element

The element contains a signature or timestamp of some sort. This element is returned in a sign response message, and sent in a verify request message. It may contain one of the following child elements:

[Optional]

An XML signature [XMLDSIG].

[Optional]

An XML, RFC 3161 or other timestamp (see section 5.1).

[Optional]

A base64 encoding of some non-XML signature, such as a PGP [RFC 2440] or CMS [RFC 3852] signature. The type of signature is specified by its Type attribute (see section 7.1).

[Optional]

This is used to point to an XML signature in an input (for a verify request) or output (for a sign response) document in which a signature is enveloped.

SchemaRefs [Optional]

As described above in 2.4.1

A contains the following attributes:

WhichDocument [Required]

This identifies the input document as in section 2.4.2 being pointed at (see also ID attribute in section 2.4.1).

XPath [Optional]

a) This identifies the signature element being pointed at.

b) The XPath expression is evaluated from the root node (see section 5.1 of [XPATH]) of the document identified by WhichDocument after the XML data was extracted and parsed if necessary. The context node for the XPath evaluation is the document’s DocumentElement (see section 2.1 Well-Formed XML Documents [XML]).

c) About namespace declarations for the expression necessary for evaluation see section 1 of [XPATH]. Namespace prefixes used in XPath expressions MUST be declared within the element containing the XPath expression. E.g.: . See also the following example below. A piece of a XML signature of a containing a with a XPath filtering element that includes inline namespace prefixes declaration. This piece of text comes from one of the signatures that were generated in the course of the interoperability experimentation. As one can see they are added to the element:

Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">

xmlns:upc2="http://www.ac.upc.edu/namespaces/ns2">ancestor-or-self::upc1:Root

>

24xf8vfP3xJ40akfFAnEVM/zxXY=

If the XPath does not evaluate to one element the server MUST return a (section 2.6) issuing a RequesterError qualified by a XPathEvaluationError.

Other may contain arbitrary content that may be specified in a profile and can also be used to extend the Protocol.

The following schema fragment defines the , , and elements:

2.6Element

The element is returned with every response message. It contains the following child elements:

[Required]

The most significant component of the result code.

[Optional]

The least significant component of the result code.

[Optional]

A message which MAY be returned to an operator, logged, used for debugging, etc.

minOccurs="0"/>

type="dss:InternationalStringType" minOccurs="0"/>

The URIs MUST be values defined by this specification or by some profile of this specification. The values defined by this specification are:

urn:oasis:names:tc:dss:1.0:resultmajor:Success

The protocol executed successfully.

urn:oasis:names:tc:dss:1.0:resultmajor:RequesterError

The request could not be satisfied due to an error on the part of the requester.

urn:oasis:names:tc:dss:1.0:resultmajor:ResponderError

The request could not be satisfied due to an error on the part of the responder.

urn:oasis:names:tc:dss:1.0:resultmajor:InsufficientInformation

The request could not be satisfied due to insufficient information.

In case of doubt of who is responsible a urn:oasis:names:tc:dss:1.0:resultmajor:ResponderError is assumed.

This specification defines the following values, that are listed below, grouped by the respective associated code.

One of the following values MUST be returned when the code is Success.

urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:OnAllDocuments

The signature or timestamp is valid. Furthermore, the signature or timestamp covers all of the input documents just as they were passed in by the client.

urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:NotAllDocumentsReferenced

The signature or timestamp is valid. However, the signature or timestamp does not cover all of the input documents that were passed in by the client.

urn:oasis:names:tc:dss:1.0:resultminor:invalid:IncorrectSignature

The signature fails to verify, for example due to the signed document being modified or the incorrect key being used.

urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:HasManifestResults

The signature is valid with respect to XML Signature core validation. In addition, the message also contains VerifyManifestResults.
Note: In the case that the core signature validation failed no attempt is made to verify the manifest.

urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:InvalidSignatureTimestamp

The signature is valid however the timestamp on that signature is invalid.

The following values is suggest MAY be returned when the code is RequesterError.

urn:oasis:names:tc:dss:1.0:resultminor:ReferencedDocumentNotPresent

A ds:Reference element is present in the ds:Signature containing a full URI, but the corresponding input document is not present in the request.

urn:oasis:names:tc:dss:1.0:resultminor:KeyInfoNotProvided

The required key information was not supplied by the client, but the server expected it to do so.

urn:oasis:names:tc:dss:1.0:resultminor:MoreThanOneRefUriOmitted

The server was not able to create a signature because more than one RefUri was omitted.

urn:oasis:names:tc:dss:1.0:resultminor:InvalidRefURI

The value of the RefURI attribute included in an input document is not valid.

urn:oasis:names:tc:dss:1.0:resultminor:NotParseableXMLDocument

The server was not able to parse a Document.

urn:oasis:names:tc:dss:1.0:resultminor:NotSupported

The server doesn’t recognize or can’t handle any optional input.

urn:oasis:names:tc:dss:1.0:resultminor:Inappropriate:signature

The signature or its contents are not appropriate in the current context.

For example, the signature may be associated with a signature policy and semantics which the DSS server considers unsatisfactory.

Further values for associated with code

urn:oasis:names:tc:dss:1.0:resultmajor:RequesterError are left open to the implementer or profile to be defined with in their namespaces.

The following values MAY be returned when the code is ResponderError.

urn:oasis:names:tc:dss:1.0:resultminor:GeneralError

The processing of the request failed due to an error not covered by the existing error codes. Further details should be given in the result message for the user which may be passed on to the relevant administrator.

urn:oasis:names:tc:dss:1.0:resultminor:invalid:KeyLookupFailed

Locating the identified key failed (e.g. look up failed in directory or in local key file).

Further values for associated with code
urn:oasis:names:tc:dss:1.0:resultmajor:ResponderError are left open to the implementer or profile to be defined within their namespaces.

The following values MAY be returned when the code is InsufficientInformation.

urn:oasis:names:tc:dss:1.0:resultminor:CrlNotAvailiable

The relevant certificate revocation list was not available for checking.

urn:oasis:names:tc:dss:1.0:resultminor:OcspNotAvailiable

The relevant revocation information was not available via the online certificate status protocol.

urn:oasis:names:tc:dss:1.0:resultminor:CertificateChainNotComplete

The chain of trust could not be established binding the public key used for validation to a trusted root certification authority via potential intermediate certification authorities.

1 2 3 4 5 6 7 8 9 10 11