ESI 7: What can Digital Signature Certificate Parts contain?

[murata2makoto]

ETSI wrote:

It is not clear from the text in 12.4.4 if the "Digital Signature Certificate Part" may contain one or more certificates. Strictly speaking, the text says that the X.509 certificate used to validate a signature can be contained in this part, but it does not say anything about the possibility of including other certificates (those ones in the certificate path, for instance).

Add text clearly specifying the cardinality of the certificates that can appear within one "Digital Signature XML Signature Part

We have to make clear permissible contents of a Digital Signature Certificate Part. In my understanding of XML DSig, any KeyInfo element is allowed to be referenced by the RetrievalMethod element. But is it ok to allow any KeyInfo element as the content of this part?

@dcleblanc, comments?

[dcleblanc]

I'm not sure exactly what you are referring to, won't be able to research the exact text until Monday. However, there are two places to put certificates - in the XMLDSig portion, where there should only be the signing certificate, and optionally in the XAdES portion, where the remainder of the chain should go.

If there were more than one cert in KeyInfo, then as long as the signing cert came first, it should work, but I'd want to test it to be certain. As I recall, several elements could be in a KeyInfo, and it should specify it must be an X509Certificate, and there should be only one, where the signing cert must come first.

Apologies if I do not have details precisely correct, working from memory.

Get Outlook for Androidhttps://aka.ms/ghei36

---

From: MURATA Makoto notifications@github.com Sent: Saturday, October 12, 2019 7:05:52 AM To: sc34wg4/opcRevision opcRevision@noreply.github.com Cc: David LeBlanc dleblanc@exchange.microsoft.com; Mention mention@noreply.github.com Subject: [sc34wg4/opcRevision] ESI 7: What can Digital Signature Certificate Parts contain? (#18)

ETSI wrote:

It is not clear from the text in 12.4.4 if the "Digital Signature Certificate Part" may contain one or more certificates. Strictly speaking, the text says that the X.509 certificate used to validate a signature can be contained in this part, but it does not say anything about the possibility of including other certificates (those ones in the certificate path, for instance).

Add text clearly specifying the cardinality of the certificates that can appear within one "Digital Signature XML Signature Part

We have to make clear permissible contents of a Digital Signature Certificate Part. In my understanding of XML DSig, any KeyInfo element is allowed to be referenced by the RetrievalMethod elementhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2F2008%2FREC-xmldsig-core-20080610%2F%23sec-RetrievalMethod&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C5ec27c5c5e6b4879878a08d74f1d4ad5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637064859580603630&sdata=7XsEa1a%2FfY5v8v7NioV7hKhIpvLz4cmGUUujn%2Fn4UwA%3D&reserved=0. But is it ok to allow any KeyInfo element as the content of this part?

@dcleblanchttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdcleblanc&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C5ec27c5c5e6b4879878a08d74f1d4ad5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637064859580613625&sdata=%2Bv9KB%2BPQtlyTfFE1OrVM4xsf9bA44X1azureGqlKCU8%3D&reserved=0, comments?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsc34wg4%2FopcRevision%2Fissues%2F18%3Femail_source%3Dnotifications%26email_token%3DAHX6YLYF4IRBDWOLL7JI2WDQOHKUBA5CNFSM4JAC6KWKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HRL22CQ&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C5ec27c5c5e6b4879878a08d74f1d4ad5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637064859580613625&sdata=7CuxxzzzgOJGNUsfaQwpkMB6JRs8qtI5i5%2FfYQI%2Bf2Y%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHX6YL4Y4PJVXR6EUTIGSY3QOHKUBANCNFSM4JAC6KWA&data=02%7C01%7Cdleblanc%40exchange.microsoft.com%7C5ec27c5c5e6b4879878a08d74f1d4ad5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637064859580623620&sdata=dOCv9NNc%2BjmWE1DJBWD7urJsrxB%2BNE7bUWsVoaxJpn4%3D&reserved=0.

[RexJaeschke]

After some discussion, Rex asked how we might inject this into the current work given it was not a comment from the DIS ballot.

In any event, it is likely we'll need another mail to David to get further clarification.

Perhaps this can wait until Japan proposes an amendment for further digital-signal processing support.

[dcleblanc]

There are several forms of a KeyInfo element, but we only accept X509Certificate. Therefore, we have to document this as a MUST be X509Certificate. As I stated before, I believe that if additional KeyInfo elements showed up, our parser should not break, and we should test this to be sure - I believe it will not. Some implementations might want to put the rest of the cert chain there. Ideally, if additional certs were there, we should use them to help build the cert chain, but that would be new functionality.

However, we have (since Office 2013) put the rest of the cert chain into the appropriate XAdES element, and if we find certs there, we will use them. So I would document that an implementation SHOULD put certs for the rest of the cert chain into the XAdES section.

[murata2makoto]

I find that none of the OOXML documents in my computer have parts of the type "application/vnd.openxmlformats-package.digital-signature-certificate". Since this media type does not end with "+xml", its content is not XML. What is it?