Clarify GetAssignedMediaSigningCertificates response behavior

doc/Security.xml

@@ -34,7 +34,7 @@
         RELATING TO ANY USE OR DISTRIBUTION OF THIS DOCUMENT, WHETHER OR NOT (1) THE CORPORATION,
         MEMBERS OR THEIR AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (2)
         SUCH DAMAGES WERE REASONABLY FORESEEABLE, AND ARISING OUT OF OR RELATING TO ANY USE OR
-        DISTRIBUTION OF THIS DOCUMENT.  THE FOREGOING DISCLAIMER AND LIMITATION ON LIABILITY DO NOT
+        DISTRIBUTION OF THIS DOCUMENT.  THE FOREGOING DISCLAIMER AND LIMITATION ON LIABILITY DO NOT
         APPLY TO, INVALIDATE, OR LIMIT REPRESENTATIONS AND WARRANTIES MADE BY THE MEMBERS AND THEIR
         RESPECTIVE AFFILIATES TO THE CORPORATION AND OTHER MEMBERS IN CERTAIN WRITTEN POLICIES OF
         THE CORPORATION.</para>
@@ -4379,12 +4379,27 @@
       <title>Media Signing</title>
       <section xml:id="section_cfb_gy4_kwb">
         <title>Overview</title>
-        <para>Signing of media that is generated by the device is described in the [Media Signing
-          Specification]. Media is signed using a private key that is provisioned during factory
-          production that is stored in a specially protected hardware component (e.g., a trusted
-          platform module). This private key is associated with a certificate that holds the public
-          key. In addition to the factory provisioned key one additional private key can be used to
-          sign media. </para>
+        <para>Media authenticity data in the form of signatures is generated by the device and
+          included in the media stream as described in the [Media Signing Specification]. Media is
+          typically signed using a certificate based on the private key provisioned in one of the
+          below listed approaches</para>
+          <variablelist>
+            <varlistentry>
+              <term>Factory Provisioned Key</term>
+              <listitem>
+                <para>Private key provisioned into the device by the manufacturer and that private
+                key is associated with a certificate that holds the public key.</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>User Provisioned Key</term>
+              <listitem>
+                <para>User can provision an additional private key and that private key is
+                associated with a certificate that holds the public key. </para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
       </section>
       <section xml:id="section_dfb_gy4_kwb">
         <title>AddMediaSigningCertificateAssignment</title>
@@ -4402,8 +4417,8 @@
           <varlistentry>
             <term>request</term>
             <listitem>
-              <para role="param">CertificationPathID - [tas:CertificationPathID] The ID of the
-                certification path to assign for media signing.</para>
+              <para role="param">CertificationPathID - [tas:CertificationPathID]</para>
+              <para role="text">The ID of the certification path to assign for media signing.</para>
             </listitem>
           </varlistentry>
           <varlistentry>
@@ -4415,11 +4430,12 @@
           <varlistentry>
             <term>faults</term>
             <listitem>
-              <para role="param">env:Sender - ter:InvalidArgVal - ter:CertificationPathID No
+              <para role="param">env:Sender - ter:InvalidArgVal - ter:CertificationPathID </para>
+              <para role="text">No
                 certification path is stored in the keystore under the given certification path
                 ID.</para>
-              <para role="param">env:Sender - ter:InvalidArgVal - ter:NoPrivateKey The key pair that
-                is associated with the leaf certificate in the certificate chain does not have an
+              <para role="param">env:Sender - ter:InvalidArgVal - ter:NoPrivateKey </para>
+               <para role="text"> The key pair that is associated with the leaf certificate in the certificate chain does not have an
                 associated private key.</para>
             </listitem>
           </varlistentry>
@@ -4444,8 +4460,8 @@
           <varlistentry>
             <term>request</term>
             <listitem>
-              <para role="param">CertificationPathID - [tas:CertificationPathID] The ID of the
-                certification path to remove.</para>
+              <para role="param">CertificationPathID - [tas:CertificationPathID]</para>
+              <para>The ID of the certification path to remove.</para>
             </listitem>
           </varlistentry>
           <varlistentry>
@@ -4492,8 +4508,12 @@
             <listitem>
               <para role="param">CertificationPathID - optional, max 2 [tas:CertificationPathID] </para>
               <para role="text">List of certification path IDs assigned for media signing. At least
-                one certification path will be returned, the factory provisioned one. At most two
-                certification paths will be returned.</para>
+                one certification path that includes the factory provisioned one shall be returned.
+                At most two certification paths will be returned.</para>
+              <para>As response structure is CertificationPathID, to retrieve the assigned media
+                signing certificates as expected from the interface name
+                GetAssignedMediaSigningCertificates, client needs to make an additional request of
+                GetCertificationPath with CertificationPathID as input.</para>
             </listitem>
           </varlistentry>
           <varlistentry>
@@ -4510,7 +4530,6 @@
           </varlistentry>
         </variablelist>
       </section>
-    </section>
     <section xml:id="section_hd2_5r4_rwb">
       <title>Autorization Server Configuration</title>
       <para>This chapter describes configuration of external authorization servers. For an overview
@@ -5536,23 +5555,6 @@
                     MaximumNumberOfDot1XConfigurations shall be greater than zero.</para>
                 </entry>
               </row>
-              <row>
-                <entry>
-                  <para>MediaSigningSupported</para>
-                </entry>
-                <entry>
-                  <para>If true, GetAssignedMediaSigningCertificates shall be supported.</para>
-                </entry>
-              </row>
-              <row>
-                <entry>
-                  <para>UserMediaSigningKeySupported</para>
-                </entry>
-                <entry>
-                  <para>If true, AddMediaSigningCertificateAssignment and
-                    RemoveMediaSigningCertificateAssignment shall be supported.</para>
-                </entry>
-              </row>
               <row>
                 <entry><para>EllipticCurves</para></entry>
                 <entry>
@@ -5590,6 +5592,7 @@
       <title>Service specific data types</title>
       <para>The service specific data types are defined in security.wsdl.</para>
     </section>
+   </section>
   </chapter>
   <chapter>
     <title>Security Considerations</title>

wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl

@@ -2473,7 +2473,9 @@
 					<xs:sequence>
 						<xs:element name="CertificationPathID" type="tas:CertificationPathID" minOccurs="0" maxOccurs="2">
 							<xs:annotation>
-								<xs:documentation>The IDs of all certification paths that are assigned for media signing.</xs:documentation>
+								<xs:documentation>The IDs of all certification paths that are assigned for media signing.
+								As expected response structure is misleading, to retrieve the assigned media signing certificates as expected from interface name, 
+								client needs to make an additional request of GetCertificationPath with CertificationPathID as input.</xs:documentation>
 							</xs:annotation>
 						</xs:element>
 					</xs:sequence>