A further complexity is that few organizations
including the US federal agencies have yet begun
to look on how secure messaging is to be accomplished on a wider scale except by using e-mail.
However, e-mail has huge limitations for
sophisticated (automated and interactive)
workflow compared to web based systems where the "transaction" and the "view", are typically not using a common
representation. The latter of course
has a major impact on how signatures can be utilized.
I have personally "toyed" with a number of use
cases in order to clear the picture for myself
(to begin with...). One simple but still pretty universal such
use-case is the e-purchasing process where one or
more employees are running an internal workflow
system where a purchase request is, after proper authorization, converted into a purchase order and sent to a
supplier.
My own take on the aforementioned e-purchasing
process and using the web is as follows:
1. The user is (when he considers him as
ready), presented a completed requisition
proposal in for example HTML or PDF, which he is requested to sign and
submit. In the background the actual data is usually held by the web server session in a
"computer-friendly" format.
2. After signature validation etc by the
workflow system. the requisition is archived together with the user's signature
for possible future references
3. Assuming the user is the final authorizer, a
purchase order is now created in a B2B-network specific format (like UBL or
EDI), based on the requisition data (kept in the web session).
4. The completed purchase order is
then archived in a table linked to the signed requisition for possible
future references.
5. Finally, the purchase order is
secured[*] and sent away for fulfillment in a B2B-network defined
way
Steps 2-5 are automatically performed by the
workflow system (server). Except for user signatures, the scheme
above is the de-facto standard way of performing B2B
operations.
regards
Anders Rundgren
Working for a major US computer security company
but here acting as an individual
*] This part is unfortunately a major problem
for many people working with PKI as it is really the workflow system that
creates, secures, and sends purchase orders to external suppliers.
Due to this, existing [and widely used] B2B schemes are almost
exclusively non-secured or are using shared secrets as such schemes (in
spite of being completely inferior) seem to pass without major
consideration, while "signing PKI-servers", immediately brings in the legal
department ("a machine has no will or legal power"), the security experts ("this
is violating end-to-end security"), and forces most such efforts into a dead
halt. A maybe vane hope, is that these very interesting issues will be
properly "aired" when/if a web signature standards process is
launched.