OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

egov message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: "Dry" and "Wet" signatures - A definition

Dear list,
In a previous posting where I referred to some discussions concerning a possible Web Sign standards effort within OASIS, "Dry" and "Wet" signatures were mentioned.  Several off-list messages indicate that these terms need a proper explanation.

This comes to no big surprise as these terms have actually been coined by myself in the absence of an established terminology in this actually rather virgin field.

"Wet" web-signatures
An editable document, be it an MS Word document or an HTML form with edit fields, radio buttons etc. is filled-in and signed by the user and then sent to the service provider.

"Dry" web-signatures
The user is (after an arbitrary interactive process with a service provider), presented, a static (read-only) document and is requested to sign it in order to indicate "acceptance".  Since the document actually comes from the service provider, the result sent to the service provider is typically only a detached signature of the shown document.
 
Further comments
These schemes represent two different schools, one which tries to mimic the existing paper form world, while the other scheme is more aligned with how the web is currently used.
 
Implications
Superficially these schemes may appear similar, but that is indeed not the case; there is probably a 10-to-1 difference in complexity unless you restrict "Wet" signatures to only support a single document format.  The reason for this increase in complexity is that each document format has its own native signature format (or has no defined signature format at all), as well as its own input data validation scheme.  Using "Dry" detached signatures, you can achieve the same thing as S/MIME does, namely document format independence with respect to the signature process (except for some trivial canonicalizations).  Possible input data validation is assumed to have been carried out in earlier phases of a web session, using standard web methodology.  There are numerous other implications as well concerning the use of "Wet" and "Dry" signatures, but these are far outside the range of an e-mail posting.
 
Anders Rundgren
Working for a major US computer security company but here acting as an individual

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]