[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: "Dry" and "Wet" signatures - A definition
Dear list,
In a previous posting where I referred to some
discussions concerning a possible Web Sign standards effort within OASIS, "Dry"
and "Wet" signatures were mentioned. Several off-list messages indicate
that these terms need a proper explanation.
This comes to no big surprise as these terms have actually been coined by myself in the absence of an established terminology in this actually rather virgin field. "Wet" web-signatures An editable document, be it an MS Word document or an HTML form with edit fields, radio buttons etc. is filled-in and signed by the user and then sent to the service provider. "Dry" web-signatures The user is (after an arbitrary interactive process
with a service provider), presented,
a static (read-only) document and is requested to sign it in order to indicate "acceptance". Since the document
actually comes from the service provider, the
result sent to the service provider is typically only a detached signature of the shown document.
Further
comments
These schemes represent two different schools, one which tries to mimic the
existing paper form world, while the other scheme is more aligned with how the
web is currently used.
Implications
Superficially these schemes may appear similar, but that is indeed not the
case; there is probably a 10-to-1 difference in complexity unless you restrict
"Wet" signatures to only support a single document format. The reason for
this increase in complexity is that each document format has its own native
signature format (or has no defined signature format at all), as well as
its own input data validation scheme. Using "Dry" detached signatures, you
can achieve the same thing as S/MIME does, namely document format
independence with respect to the signature process (except for some trivial
canonicalizations). Possible input data validation is assumed to have been
carried out in earlier phases of a web session, using standard web
methodology. There are numerous other implications as well concerning the
use of "Wet" and "Dry" signatures, but these are far outside the range of an
e-mail posting.
Anders Rundgren
Working for a major US computer security company but here acting as an
individual
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]