RE: [egov] Re: Secure Workflow. Was: [egov] "Dry" and "Wet" signatures - A definition

["Peter F Brown" <peter@justbrown.net>]

+1
And to echo Ed's point, this is where identity comes in. Even if a
"document" is permanently mutable, that doesn't necessarily hold for each of
the "manifestations" of the document that are created and captured over time
(snapshots, if you will). These manifestations (whether you consider then as
versions or whatever is a context issue) are - by definition - immutable and
can - must - be given identity and can be signed. The "wet" document as a
conceptual "work in progress" can also be given an immutable identity but
signing this would be pointless as the time-frozen "snapshot" really
captures the state at a given moment. You can then build associations
between the abstract "work" and the specific, signed, manifestations and
make assertions on those associations ("this is the draft submission v2.6 as
presented to the auditors on DDMMYYYY...")

Where do we want to go with this? Are we looking for a policy framework for
recognition of digitally-signed and long-term archived documents? If so,
then I think the Austrian government and others in the European Union might
be interested, as this is a hot political topic at present.

Regards,

-Peter

-----Original Message-----
From: Duane Nickull [mailto:dnickull@adobe.com] 
Sent: 29 August 2005 21:32
To: John Messing
Cc: Ed Chase; eGov OASIS; Anders Rundgren
Subject: Re: [egov] Re: Secure Workflow. Was: [egov] "Dry" and "Wet"
signatures - A definition



John Messing wrote:

>I think that is where Anders began the discussion.
>  
>
Anders began this thread with a statement that this field is virgin and
somewhat open.  I felt compelled to point out, as you have, that it is
somewhat mature and there are even legislated standards in North America.

Summary?

The point I felt needed clarification is the set of assumptions and logic
pertaining to document mutability.  I will assert that all documents are
mutable (wet) and one should never make an assumption that the format itself
provides protection against change.  Even PDF can be changed if you employ
the right libraries.  A better methodology is to assume from the start that
all documents are mutable and ensure your digital signature mechanism can
link a specific signature to the exact content that was signed. 

To completely satisfy legal requirements, even the algorithms used by the
agent to present the original electronic content to the one who signs it is
important to capture since someone may eventually challenge you to provide
proof that the signer saw the exact same document that is being rendered
later.  Even a change in screen resolution, screen settings (B&W vs 16 bit
color vs 256 bit color) and versions of JVM's can present problems on this
front.

Duane

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php