RE: [dss-x] DSS-X Visible Signatures Profile

["Uri Resnitzky" <Uri@arx.com>]

This is an interesting approach for visual signatures which is different than what I had in mind.
Perhaps we need two different profiles to address these two approaches.

My approach is to leverage existing digital signature specifications for popular document formats (such as PDF).
The idea is that you would send such a document to the DSS server and ask it to sign it while inserting a visual signature in a specific place in the document.
The result would be a document that can be opened, viewed *and verified* by any standard application for that document type (for example Adobe Reader).

In the Austrian approach, a PDF file cannot be signed visually while maintaining the ability to be verified by standard applications that adhere to the PDF spec for digital signatures.
This is because the PDF standard defines that a signature must cover all the bytes in the document in the hash calculation, and that must also include the visual appearance. Therefore the appearance cannot contain the signature value itself.

I am working on a draft document for a "visual document signatures" profile of DSS along the lines of my approach and hope to post it to the list before the next TC meeting.

- Uri


> -----Original Message-----
> From: Pope, Nick [mailto:Nick.Pope@thales-esecurity.com] 
> Sent: Thursday, 26 July, 2007 13:09
> To: Konrad Lanz; dss-x@lists.oasis-open.org; 
> dss-x-comments@lists.oasis-open.org
> Subject: RE: [dss-x] DSS-X Visible Signatures Profile
> 
> Konrad,
> 
> I look forward to reading this and working on this profile in DSS.
> 
> How would you see this relating to a possible profile for 
> signing PDF documents?  Would this be a sub-profile?
> 
> Uri - what are your view on this?
> 
> Nick
> 
> > -----Original Message-----
> > From: Konrad Lanz [mailto:Konrad.Lanz@labs.cio.gv.at]
> > Sent: 23 July 2007 19:46
> > To: dss-x@lists.oasis-open.org; dss-x-comments@lists.oasis-open.org
> > Cc: Herbert Leitold; Peter Reichstädter
> > Subject: [dss-x] DSS-X Visible Signatures Profile
> > Importance: Low
> > 
> > Dear fellow DSS-X Members,
> > 
> > to get the work on a visible signatures profile for DSS-X 
> started we 
> > foresee the following work items and are happy to provide 
> references 
> > to material defining visible signatures in Austria.
> > 
> > * Definition of Terms
> >     -------------------
> >     The English version of the Austrian E-Government Act can be a
> >     rich source. [1][2][3]
> > 
> > * What a visible signature should look like
> >     -----------------------------------------
> >     The Austrian e-Government Act [1] can also provide here a very
> >     general and rich definition in principle requiring the following
> >     for visible signatures:
> > 
> >       - visible image mark (recognized logo) of the signatory
> >       - name and role of signatory (optional)
> >       - date / time
> >       - identifier of legal act / process (optional)
> >       - name and country of origin of the issuing CA
> >       - serial number of the signatory's Certificate
> >       - the signature value in BASE64 coding
> >       - an appropriate attribute (non critical V3 extension) in
> >         the  signature certificate.
> >         In Austria's administration this means a registered OID
> >         indicating that the organization is a public
> >         administration.
> >       - validity hint (optional)
> > 
> > * Another important topic is the probative value of Printouts
> >     -----------------------------------------------------------
> >       - the electronic form including the signature can be exactly
> >         reconstructed from the printout and can be verified from
> >         the printout
> > 
> > 
> > You can find an example of a visible PDF and XML Signature attached.
> > 
> > [1] Federal Electronic Signature Law:
> >       --------------------------------- 
> > http://www.ris.bka.gv.at/erv/erv_1999_1_190.pdf
> > 
> > [2] The Austrian E-Government Act:
> >       ------------------------------
> > http://www.ris.bka.gv.at/erv/erv_2004_1_10.pdf
> > 
> > [3] Administration on the Net:
> >       ------------------------------
> > 
> http://www.cio.gv.at/egovernment/umbrella/Administration_on_the_Net.zi
> > p
> > cf. Page 134
> > 
> > 
> > kind regards
> > Konrad Lanz
> Consider the environment before printing this mail.
> "Thales e-Security Limited is incorporated in England and 
> Wales with company registration number 2518805. Its 
> registered office is located at 2 Dashwood Lang Road, The 
> Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15 2NX.
> The information contained in this e-mail is confidential. It 
> may also be privileged. It is only intended for the stated 
> addressee(s) and access to it by any other person is 
> unauthorised. If you are not an addressee or the intended 
> addressee, you must not disclose, copy, circulate or in any 
> other way use or rely on the information contained in this 
> e-mail. Such unauthorised use may be unlawful. If you have 
> received this e-mail in error please delete it (and all 
> copies) from your system, please also inform us immediately 
> on +44 (0)1844 201800 or email postmaster@thales-esecurity.com.
> Commercial matters detailed or referred to in this e-mail are 
> subject to a written contract signed for and on behalf of 
> Thales e-Security Limited". 
>